berbew | 5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Size

69KB
MD5

aa199dc318953336357f235dc13fa675
SHA1

73f048639d5a047e45f6fc7f70f6611541db33a6
SHA256

5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422
SHA512

d02c9e13b762f92579f5b374e53aa4b64dd66d1e812bcda256ef69aa880f60c74697e8e50dc65093561b998951d39afde05f4e949f05b04ab0e4534ce5d47960
SSDEEP

1536:ybM02W4qGKUtgudoEejjKamx6WPgUN3QivES:ybnUq5Lfqx6WPgU5Qu

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3192	Ofnckp32.exe
3496	Opdghh32.exe
3652	Ocbddc32.exe
3408	Ojllan32.exe
3784	Odapnf32.exe
3632	Ogpmjb32.exe
5008	Ojoign32.exe
1452	Oqhacgdh.exe
3692	Ocgmpccl.exe
4780	Ojaelm32.exe
4432	Pcijeb32.exe
4740	Pnonbk32.exe
364	Pclgkb32.exe
4608	Pfjcgn32.exe
5052	Pjeoglgc.exe
2840	Pmdkch32.exe
1088	Pqpgdfnp.exe
3332	Pdkcde32.exe
3808	Pjjhbl32.exe
1336	Pmidog32.exe
1688	Pqdqof32.exe
1556	Pjmehkqk.exe
3344	Qdbiedpa.exe
1836	Qgqeappe.exe
2508	Qqijje32.exe
1388	Qffbbldm.exe
5064	Anmjcieo.exe
2100	Aqkgpedc.exe
1644	Acjclpcf.exe
3080	Afhohlbj.exe
4516	Ajckij32.exe
1848	Ambgef32.exe
4204	Agglboim.exe
2184	Ajfhnjhq.exe
1332	Anadoi32.exe
3432	Amddjegd.exe
4168	Aeklkchg.exe
1748	Acnlgp32.exe
3328	Agjhgngj.exe
4820	Afmhck32.exe
5068	Ajhddjfn.exe
4752	Andqdh32.exe
4440	Aabmqd32.exe
3024	Aeniabfd.exe
3916	Acqimo32.exe
3268	Aglemn32.exe
3076	Afoeiklb.exe
4568	Anfmjhmd.exe
2736	Aminee32.exe
5028	Aadifclh.exe
2472	Aepefb32.exe
4544	Accfbokl.exe
944	Bfabnjjp.exe
3516	Bjmnoi32.exe
536	Bnhjohkb.exe
1936	Bmkjkd32.exe
3788	Bebblb32.exe
2200	Bcebhoii.exe
1776	Bganhm32.exe
5140	Bjokdipf.exe
5176	Bnkgeg32.exe
5216	Beeoaapl.exe
5256	Bgcknmop.exe
5304	Bmpcfdmg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4076	1816	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 3192	2256	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe	83
PID 2256 wrote to memory of 3192	2256	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe	83
PID 2256 wrote to memory of 3192	2256	5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe	83
PID 3192 wrote to memory of 3496	3192	Ofnckp32.exe	84
PID 3192 wrote to memory of 3496	3192	Ofnckp32.exe	84
PID 3192 wrote to memory of 3496	3192	Ofnckp32.exe	84
PID 3496 wrote to memory of 3652	3496	Opdghh32.exe	85
PID 3496 wrote to memory of 3652	3496	Opdghh32.exe	85
PID 3496 wrote to memory of 3652	3496	Opdghh32.exe	85
PID 3652 wrote to memory of 3408	3652	Ocbddc32.exe	86
PID 3652 wrote to memory of 3408	3652	Ocbddc32.exe	86
PID 3652 wrote to memory of 3408	3652	Ocbddc32.exe	86
PID 3408 wrote to memory of 3784	3408	Ojllan32.exe	87
PID 3408 wrote to memory of 3784	3408	Ojllan32.exe	87
PID 3408 wrote to memory of 3784	3408	Ojllan32.exe	87
PID 3784 wrote to memory of 3632	3784	Odapnf32.exe	88
PID 3784 wrote to memory of 3632	3784	Odapnf32.exe	88
PID 3784 wrote to memory of 3632	3784	Odapnf32.exe	88
PID 3632 wrote to memory of 5008	3632	Ogpmjb32.exe	89
PID 3632 wrote to memory of 5008	3632	Ogpmjb32.exe	89
PID 3632 wrote to memory of 5008	3632	Ogpmjb32.exe	89
PID 5008 wrote to memory of 1452	5008	Ojoign32.exe	90
PID 5008 wrote to memory of 1452	5008	Ojoign32.exe	90
PID 5008 wrote to memory of 1452	5008	Ojoign32.exe	90
PID 1452 wrote to memory of 3692	1452	Oqhacgdh.exe	91
PID 1452 wrote to memory of 3692	1452	Oqhacgdh.exe	91
PID 1452 wrote to memory of 3692	1452	Oqhacgdh.exe	91
PID 3692 wrote to memory of 4780	3692	Ocgmpccl.exe	92
PID 3692 wrote to memory of 4780	3692	Ocgmpccl.exe	92
PID 3692 wrote to memory of 4780	3692	Ocgmpccl.exe	92
PID 4780 wrote to memory of 4432	4780	Ojaelm32.exe	93
PID 4780 wrote to memory of 4432	4780	Ojaelm32.exe	93
PID 4780 wrote to memory of 4432	4780	Ojaelm32.exe	93
PID 4432 wrote to memory of 4740	4432	Pcijeb32.exe	94
PID 4432 wrote to memory of 4740	4432	Pcijeb32.exe	94
PID 4432 wrote to memory of 4740	4432	Pcijeb32.exe	94
PID 4740 wrote to memory of 364	4740	Pnonbk32.exe	95
PID 4740 wrote to memory of 364	4740	Pnonbk32.exe	95
PID 4740 wrote to memory of 364	4740	Pnonbk32.exe	95
PID 364 wrote to memory of 4608	364	Pclgkb32.exe	96
PID 364 wrote to memory of 4608	364	Pclgkb32.exe	96
PID 364 wrote to memory of 4608	364	Pclgkb32.exe	96
PID 4608 wrote to memory of 5052	4608	Pfjcgn32.exe	97
PID 4608 wrote to memory of 5052	4608	Pfjcgn32.exe	97
PID 4608 wrote to memory of 5052	4608	Pfjcgn32.exe	97
PID 5052 wrote to memory of 2840	5052	Pjeoglgc.exe	98
PID 5052 wrote to memory of 2840	5052	Pjeoglgc.exe	98
PID 5052 wrote to memory of 2840	5052	Pjeoglgc.exe	98
PID 2840 wrote to memory of 1088	2840	Pmdkch32.exe	99
PID 2840 wrote to memory of 1088	2840	Pmdkch32.exe	99
PID 2840 wrote to memory of 1088	2840	Pmdkch32.exe	99
PID 1088 wrote to memory of 3332	1088	Pqpgdfnp.exe	100
PID 1088 wrote to memory of 3332	1088	Pqpgdfnp.exe	100
PID 1088 wrote to memory of 3332	1088	Pqpgdfnp.exe	100
PID 3332 wrote to memory of 3808	3332	Pdkcde32.exe	101
PID 3332 wrote to memory of 3808	3332	Pdkcde32.exe	101
PID 3332 wrote to memory of 3808	3332	Pdkcde32.exe	101
PID 3808 wrote to memory of 1336	3808	Pjjhbl32.exe	102
PID 3808 wrote to memory of 1336	3808	Pjjhbl32.exe	102
PID 3808 wrote to memory of 1336	3808	Pjjhbl32.exe	102
PID 1336 wrote to memory of 1688	1336	Pmidog32.exe	103
PID 1336 wrote to memory of 1688	1336	Pmidog32.exe	103
PID 1336 wrote to memory of 1688	1336	Pmidog32.exe	103
PID 1688 wrote to memory of 1556	1688	Pqdqof32.exe	104

C:\Users\Admin\AppData\Local\Temp\5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe
"C:\Users\Admin\AppData\Local\Temp\5d25e3683033386b46bde997975e10c2dc76fdd313b111f57bcad6c750789422.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\Ofnckp32.exe
  C:\Windows\system32\Ofnckp32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\Opdghh32.exe
    C:\Windows\system32\Opdghh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\Ocbddc32.exe
      C:\Windows\system32\Ocbddc32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        69⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 216
        89⤵
        Program crash
        
        PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1816 -ip 1816
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
69KB

MD5
9911587bc23a65da01060354afd99132

SHA1
d8b9c8f2c473c61ac8eb007c34698218ffbe6ad0

SHA256
5e7d38feb8ffd9abd3bd7b3263cef1a60d1a2eb5b1cd0435468f91ce5f23632f

SHA512
e96daa21756e252a5cfb3166f2744f5662ac7b62a46922dca43ce28c8e7da07fe235f58e92bf2a06232163cd4a466be3cd580fce4e4987639c34328033450d89

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
69KB

MD5
db3ecdc7f3cb0fb9179453292747eb0e

SHA1
1f773d047335553d1409020d32402a5b9cc02e4c

SHA256
064ad39760e0319480e21da651fb2d4d241eb055e14de3da6e3da3e4bef5a45b

SHA512
0409069f174e92a4fa8738b375de9731a2d52991b8ae6b22dd0a15c2dcbec531a0f25d0b6da9f9ddd590df548a3e2f636ebd8113130dab6634b5fe23eb992c46

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
69KB

MD5
9e964f8d72072ceb6272420d8c5d9536

SHA1
0196a04e1633e5abb9aee5baed050121244cb3d9

SHA256
c340a20a406e5164d0cac38e9fe26d5d53dfc4462fc20ce9d1139b8e3e0cba2f

SHA512
47ed422ba46d72486d744b059ea11813efacad9b8aeeadd63e325c010abf5523226406da6d2538652a30e0452f4370a81a221bb4682fa5968649b90fdc2a98df

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
69KB

MD5
de23d522f385b1b3619ae2fc094b329d

SHA1
9c30b8d04a4a1ba27ad94b6b87bf527736362b05

SHA256
9ddf06521fbd3e4650c18e31111729289e74bb63ef3e1ab184c4c1f6d2010d42

SHA512
32f5eae1f81ac96ed1538a21c5bd0ae36a24cb26102e67fce9a190438c22b70688ff0e96b03b02c44e00c29597d317277addbcc115e86170cf46ae3cbc458100

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
69KB

MD5
51ab06bb5493d67b42e4dd1e7cf1f494

SHA1
b4de7400cd588ddf530a8ff0768b4bf3531bb9d6

SHA256
7ae53bbbdc8360803ce7ea248f19de0db9b1957e6c9fc3492d5edfede12f60c4

SHA512
5ba18dcd62f6d33863d7e3ea6aba225715b6b1bfedf8fc7a48639b610e0cfb055da443e7d2131ab73d9b41ff110bb1fb87d5f302768defc8b418e2bc9eb259b2

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
69KB

MD5
da78a4bd175bae6c65e5e11394512c6a

SHA1
b28ddf05c7e8f18f0cb84849c40caeb122e95a22

SHA256
f26e2aadf317cf628b6375f91c7fe0f5c58b923b16dacf908ec9cc9d39cecc4d

SHA512
d1d8c4cbb8fcd73caf7b5e41a3b7b5aab7225906be17f9f1d0c19ade619f6b18b4b4294fdd8619886316c9ce1b3ae056934cc84190db947dcf8a93c4c0c66b06

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
69KB

MD5
a00ee09dcf9b5bdeadac30c8eb5eee9e

SHA1
83dd31531848f2f8edd92778d4d31adca357480a

SHA256
91469cc2c0aad0d983998a9be0870ab834a76ecc62f64997791cafdf4c795616

SHA512
98bd389b2e7ff62d7606338c23b06962a5431198c607aa0118d4aefb1cb7f67b4e70b827c312d035f7aa5481c8ba5ca5ee8d79f4974f3e4d1928c4aa2b604102

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
69KB

MD5
aefb71d458aba7210c684e61e5f136c0

SHA1
d71736f2487d8d7cf3d5d8ad0d7c90d1145c585c

SHA256
e5cca12f4e885f92dc6be3904a9180530d4d862268e9e80a8d16363e47bd7031

SHA512
b74ab08745ef50df72037e76d68701e150618a2b1d0f514683b0708d9bea7be7d69cfd65d773ba9802f00977c1bb86dcf581c928f5d8087a71c196c232d38375

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
69KB

MD5
6f7df2d0395b8ddb197dd5331b4789c0

SHA1
a04fceeda9529c49bb7fdf6aad7d4c898dea13f8

SHA256
414c0a625ebdd80553af7c689ff3ecba9c7140403e8415d016fbb8637c5fa65d

SHA512
79ae7034ffa85bcc4dbeae9156aecc4e6f193c6737f4d4b0e1afd04bc4f6764f219192af384226d8642570e8085115142c3366eabdb3b2a59bc0ba81cf0dcd9f

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
69KB

MD5
b55e2e4bc9f4aa3d2121c5f0a1999450

SHA1
ab3fa5f094c02b9cf99280fc1d7018d2d6cf1513

SHA256
f49e60b7d19713431bf29d746c7e6a9a83168ccedaf79d569c65557cde071149

SHA512
479724340efed78cbcabe7cd2a7b80f0a99f782b31813303ecf59cdc0469234a08448a8572a015e8d0ee7ff7a54694ed0b4dfd22b444dd251ffb113ebd54162b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
69KB

MD5
63222c5986330e7b6ee7e3ec3becfd3b

SHA1
ff005be4924f0426bb6e6a7f218b8f29a4e35534

SHA256
041f002d9d5a98b26ecec9726966785e17faadf7170aa3a6c7abcf1061537e3c

SHA512
1a73e76cb790a282fa2aada46c25c131bba25d7e66ceaaa2882c762d183ac6dc21c612425fcce294744fb5799a7101b587c0f2b58e2dd6bc1f56903df98552a5

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
69KB

MD5
8fb803de4a721c34eb1dbf7266bc86c3

SHA1
0a65caecac4051c3e5b38f44e95ef6d196697559

SHA256
8bd3090c0687c0337952ffda687497f94586ab324454cd8e7e2d6a0aae7fd99c

SHA512
95161780c81d89e72f447ad0e70ed3a42cbef3e79dab4bc0bcfc47e438ac2caa7b1724d10bd121c10df67ca9d5b236e5e44a2417e47b31e280b4e192f0bf61f5

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
69KB

MD5
6e5f15ae95dd30ea9726b67dc58185da

SHA1
76e05a010d342c49532359bf63eedbcf0f57b688

SHA256
d1a9c90575e94e36b5dae0a6ed7ad492e523640451090d53f89f27aa102ce7f3

SHA512
221dd0aa4b71b83bea60d7438d9fd59e9c487387fcb11a99fddfe6448026ea81dda750eeaf8f5e975c221023e7e446ef18cddc7156d5c598331766b6d529ffbc

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
69KB

MD5
a6f6b19479956e74479e4e8df50ab261

SHA1
a8a4a70071cde871c9a7cbe01d9b90c1d26ed61e

SHA256
b5210b9c27ce493b5cf665529d47405eeb239347f3773ccb78ab9da5fd1b6b32

SHA512
99ccbb9ffc961c93ee613029ba7330f65cf97c236f5d3adaec36a27d0e5a822d0a420cf4082e726af38eefb5830d8ec74e7d8ec21d8d842a15169efee61954c3

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
69KB

MD5
713788b76f0e3efab7b7572b79c0ee56

SHA1
40970119e39a875c957aca0ab0d519892e3eb122

SHA256
87dfe52a40e7e1a94720f06d5bf8febedffdb50c102ba7371ea61cd409bfd772

SHA512
7878fd5a7e2f892cf2d30b5b9006a6e857ef97bd958564b341fe7e66f1f2a96c6a9a1366dfb4118520226a2f04c418d3409cd51a82632ed06d139cf805027835

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
69KB

MD5
6cec121046626689197db9c92a5a2307

SHA1
36ddad2e2ce37696ac54f0f7b65779dd87405757

SHA256
f94a36580fc10791174b678a34971e404047ec173c88d2fff342376e43534aed

SHA512
a95b0eba3fc9131cca0d91fb1387df1d728003b36a808df43a60ee810e9ba675d47a9c3c0db10cffedd469b51f8ff4f9a50c2382f8f1ecdd185fa72a289c4e3f

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
69KB

MD5
f6130349cf7d29f4cea0891ad2c8a864

SHA1
2b446cbbfd19d517d9ed53f5dc2411ecee50ff96

SHA256
ed181c347e618518c05956c3f423d50c36e85531be2d99a5554d654f41e34cec

SHA512
50245afbfb5446f0d79ccbff34a258f3495d274589daa7b8778cd1ee9b27d254f43eff36f067825064eeba6d8baeaeda78c3212b40aa527855cab6d23f2aad69

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
69KB

MD5
a825c50a62b5997b0724487523c08da0

SHA1
2ca86ea877b1fb52459c6a0351d8de3b29ad26c4

SHA256
9c31757df4a6e51e176c0f9293e73be704f9875c3aa17d341846ffb55d10a88b

SHA512
374976bf5d238cb1321437b3eef77fe2a96f62cc27b4db0c2ae6fc4f1bbb7a5a97a6e1f371c6881f669a9daeebffe23a6b40bb057b813cee8cc2f17e9c2bfcc5

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
69KB

MD5
a296ac9ffc1c9167f7129eccd654e99f

SHA1
28b029df6ad43a8638849cc9ddc778f6be69b57f

SHA256
afa53fc35e20a9b1815b28534bc0f3030039fbe2accd5a76471c21e87478051a

SHA512
03bd8b9c1cbf8f1388e8a0cae5b5ecb990b469afcc84818a32b29742fbcf22764f295e5c93bc74d046ac85cde1875b9c190b824e920af1e626287a6e5a693961

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
69KB

MD5
016389bcdd2e955924fdd6a15cd6c972

SHA1
b3c4e324fa64edac209716f4e3ff9cec47bde63a

SHA256
cc979d59bfdb338f72967417aa4b0948f999e130f47c2c74883b6c552ef74140

SHA512
b276ddf764fa0e58bcd57beba73b95c4c2981a9295482f7f10ed189ce913264f74a100f5657e7b39c61f410740d7b5023d781dd1665c167dfcfc9180d17e68e6

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
69KB

MD5
44669311372c5d49c802f81ffe74c10e

SHA1
801f4ff9c5fba4750ed44ecd88cd9e99f17cb074

SHA256
76eb64b7464fe57f35a677f5bcb761ff401eaac24644ff474f2e6bcb76d7fe5f

SHA512
ae2558ce32d4367ebacd5b77d8aaa1f5c61358823e18c78a384db523783b6b000824997a700725b09682c1bb153d941462b93b1e615b3e269760d7619ce8eac0

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
69KB

MD5
bad9a61648be6587b6010a7d63746afe

SHA1
504fedcd1c01e624634c1456afed354935035d09

SHA256
f9bd38e02df8994b186fb06f77c374f8af5fcd1657f0d98e76c0642a0e98d8c3

SHA512
68d3ac9eb67955e3b6fd51e38f04b5974d7343df0c93248aa39795f4fb013d1199cb5f1159f6bb86956ad21861219b105eb39faf8a6412ed20b6fb13d5da42b5

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
69KB

MD5
5e69696599c04cacd92f528cc9d456e6

SHA1
ece08677606cdaa664c7e5340562fe8934fc407c

SHA256
fae7f33c886755d4976486eb7eb6e0865b29e879bc0efc4423c57842052a5ca9

SHA512
119cb7d7851f68ce3891de4b2c808b441d122a49e17e15d2923a81d2b8eaa58ad4940499dc27a7b18cff9c11100ac4a6c057b326dffe04ab4a73617694711432

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
69KB

MD5
7827c884f24575615bf9ba56d016bc4f

SHA1
2b1ae861ee1460b68671ae29255c768a8c150f4b

SHA256
a6b448481783380e38191d16a3c305b8076c445e7336c9ec72c9e3ad9bb702ae

SHA512
8dc876a0e6a234fcc4bf22bdfc7f1657a07961a571efc81cafa45ae971ea4275bfedf6f7cc16a2e35648113af23966f488a05aad8cbb4083bc931cc448ccb2c1

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
69KB

MD5
0d8a8a344bce7d284ec0b509788d733a

SHA1
194da0095c6c95dd75bae871aea94c94d08f9314

SHA256
75e68424731576f25920700cd11fdb21407567c35c29602b947561f12890080a

SHA512
8e4cacb207c16dc0b6ac0b45652e046ce32647674c0c770ed07d047c6b1057b74ea85f0c0b86b481f9dd9a3f0400b472d44c21d11dc5ab637046b339e26b6b98

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
69KB

MD5
a76055854a5c181dd7d6e3f3c5096808

SHA1
bfc0691d44745529f0750449187f596ba005c426

SHA256
aed4ccf214978118ca3f03b525869cfd649dcb8e219b803cbb65a082465310ea

SHA512
2b259c43f7d898a46198085880fd18ccf42af1ba173900fabfc704b94302c4eae78199c73208a0f4e6e66870394272e65b038d24600ca41914a376649197c28a

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
69KB

MD5
015329be7845f8ab38e9cea991fd056c

SHA1
4f473935a31a3d2573995cdc4f8449f405352d47

SHA256
fe78cb6217052f85c89b94b39ebe8039abe2c7055247adbe01535b0d5ce5e660

SHA512
9d657f7f2c4246f2efb3d42e60054baafd3093c2abba0054a602afa5324f04fe6d861bf96753f847f06afc238a7090259e2d1169f53a5e7ab1fb35907e6112dd

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
69KB

MD5
0cad922508f6c1b1c72aaeb798e71d0d

SHA1
2e4f2ebccfdd9714aa4bbae7001f7b21cf8bdd1e

SHA256
fa57c311f57bd35daa60089686541ae67078cfc54f885376cc6d2a2f609a9d14

SHA512
08c589fdba99e57648ac997ef4cc48848c27212d0c2372ba3585539bf4f4ef1edf42a0c1c2be49e435058a87324c9af31d3b40b11f9628d0ccf979e3f06a39ff

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
69KB

MD5
1dfee5f9272ab5fcb60219453fbd0951

SHA1
4f49fd665485af46e41f9600db432c634ea5fe0d

SHA256
1832ca8f925db23c71e2e5da665da1699dfb1ac527e5a5737b96494109c73354

SHA512
d6b3a881bffc9e86ac386c6198c4686c7714011feadf4c7823a290d2010b237427e89562d5bf5dc42a5823410e9eddf001ae3a15e2a80eae2fdff70a56436ca9

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
69KB

MD5
2540edceaa13ce92ea49fedd850bbc07

SHA1
af33acf07f4f6b26e986c72337233bb5648be085

SHA256
7290938a47c75fb66eb5b19f19020593393513b0597ee24751f631b2cb2c3acb

SHA512
d7e4ec986c199c01446115a8c1a8e83360adfffc4fd146aae2ea5777eb037d63704f0d0dddf937246aab8644b1d5e8c5aae79790bb2a667397b80879cbc5b6ee

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
69KB

MD5
fbcd6077b5038c7cdf10d5bc3f2eddf1

SHA1
48dab2d3733851778d444f55ea9f00c18830a00e

SHA256
45e32590aabf8d90c382a3e652bd64be9d27399b9e3b870a3ec705d4984bc6f5

SHA512
49cf3619a86925ca32278e01d4aff52c2e26934e0ddba228062adf9b2022994ebf88939fa12723dab709d6331e6d743f7857e43b46942fb3ca024d30023454b1

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
69KB

MD5
8f306105c9fd064bcb3ab08b3e71a123

SHA1
214b26ade58669ff15f0e3eb72ff11771a227c8f

SHA256
8a1d8d7f47833a4adf52c260772c0014fb677f873672ff0ea21f19c89613c8ad

SHA512
4e34cdc1980c8eb65b8a8e4971ad71aafde032c677a53ef309aa37d69816f30b70ec2f11b7bef55811341288b3d5a43b91dc26cda59d39453243c9efad451e6e

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
69KB

MD5
5c5925ce94ee71d3fd8e2b62ae26d99e

SHA1
18f9e7e5ff173772da6c7bf7db5d2807bd4a0b95

SHA256
da9667eb2b42ee4caa5121e5ef5e68d3296722bae94ae4685987dd62853bb22d

SHA512
724ec3fe26baa97c2c6006a7a8a2a72580c0b5649f0c77885ff28e4cbfce1d52041681229905cabb8c1bb7280a024970d98947f16ca4d2c0bffaafbfd89e2a97

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
69KB

MD5
b4386364d304f05567ef7dc6ac4f243e

SHA1
54105e650069219711a9e9aeb0178e1a8d6a2b53

SHA256
0b87a4dc33272b8dd6b3dc16a49bb696855efc025edd326dd09e3c28f057ab69

SHA512
fbdb5d14fc19b8aff0feeb72b8c7afe74cb9df9f96068641fa5d961dc4e9d118c92d5d4f4dfc67fe9d7cef5c1abf2db5aa48014eb848ea2928b3f68061b418bb

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
69KB

MD5
f6fdd78c0b503627f4c3befbf128461f

SHA1
641d8cd5bee50eae1b6563f35986c3461006a980

SHA256
3894494240009eea6f6c96fcf9e9ac256db9952f4d6b41e8325a98c8ce82ad3e

SHA512
2a017ec79b8b01d6d7699a8fc5445d8a7ef5c2f34d50f42a840716087ba94baf5c8e6d84e7b9a727bdaf1d17f37846c94d657392d8ebf4a70c53e3fbd4304f23

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
69KB

MD5
9acf48f75135f4a171952638e1af0733

SHA1
7139f37f82fe75ef922c8759315b06b09178de81

SHA256
86e2d7b03b93c169626185c1c91b9c3844a77cc8bc4b2a72ca99fcfd0776dac4

SHA512
c8484df98505cc84ceb8119345d8f801748de23b8ec4720bf91243767d35877ca85e481de35005882e3d4bbbaf2d031f99661d4be44962144f67ac8392d19467

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
69KB

MD5
14720b45a32b9ced76de56751863b3df

SHA1
a873938dc8f96d3ecb58e8b6b60e0d6bd1e7e6a3

SHA256
a81b690547452edad535ef6c4299376b2c4048b187ccd7be95aafa9476d93d3e

SHA512
c13698ca0291dad7a560beb7e969be719c22cabc2be8a5de0b6899c00d2a781116ce9e7243b15f539164f882ddf889fb06790c3ee8b00a0a0ce39e7de1e652b9

Download Submit
memory/364-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/364-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1088-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1836-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1836-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1848-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1936-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2100-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2100-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2200-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2472-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3076-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3080-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3080-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3328-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3332-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3332-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3408-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3408-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3432-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3652-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3652-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3692-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3692-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3784-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3784-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3808-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3808-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3916-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4204-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4780-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4780-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5052-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5052-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5140-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5176-461-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5216-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5256-468-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5304-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5340-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5384-486-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5424-492-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5464-498-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5508-504-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads