berbew | 493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe
Size

352KB
MD5

f7dc55c94269df3fce97ffc0a6ab68d0
SHA1

09a61a1c43385c4fae35d65c321ccbf4e7317369
SHA256

493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765
SHA512

334a01f352fccdf9bc80fe8e56b09785ce83e0e95ddd07fc3713190e369e132876e9c6c8376bb24e5365c3d6b577596bb9201a4d5d84275d08eb219e2ab2889f
SSDEEP

6144:Dq1YeLca8bwV8pui6yYPaIGckfru5xyDpui6yYPaIGckSU05836pui6yYPq:Dq1hLcJXpV6yYP4rbpV6yYPg058KpV6a

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1284	Pfjcgn32.exe
4740	Pnakhkol.exe
4536	Pqpgdfnp.exe
1912	Pmfhig32.exe
1812	Pqbdjfln.exe
1108	Pjjhbl32.exe
4796	Pmidog32.exe
4976	Pcbmka32.exe
2028	Qnhahj32.exe
1632	Qfcfml32.exe
1904	Qjoankoi.exe
3268	Qqijje32.exe
4356	Qcgffqei.exe
4780	Anmjcieo.exe
2484	Ajckij32.exe
4600	Aqncedbp.exe
2000	Ajfhnjhq.exe
4456	Amddjegd.exe
2500	Aqppkd32.exe
4900	Acnlgp32.exe
2848	Andqdh32.exe
956	Aglemn32.exe
1372	Ajkaii32.exe
1724	Aminee32.exe
676	Aepefb32.exe
2824	Accfbokl.exe
4504	Bfabnjjp.exe
584	Bagflcje.exe
508	Bcebhoii.exe
3796	Bganhm32.exe
5020	Bjokdipf.exe
4148	Baicac32.exe
4296	Beeoaapl.exe
3196	Bgcknmop.exe
960	Bffkij32.exe
820	Bnmcjg32.exe
3604	Bmpcfdmg.exe
2460	Bnpppgdj.exe
2396	Bmbplc32.exe
1376	Beihma32.exe
2640	Bhhdil32.exe
1652	Bfkedibe.exe
3260	Bmemac32.exe
3608	Bapiabak.exe
4568	Chjaol32.exe
3036	Cmgjgcgo.exe
1400	Chmndlge.exe
4956	Cjkjpgfi.exe
1492	Ceqnmpfo.exe
760	Cfbkeh32.exe
3576	Cnicfe32.exe
2676	Cdfkolkf.exe
2684	Chagok32.exe
2588	Cmnpgb32.exe
4888	Cajlhqjp.exe
3280	Cffdpghg.exe
1100	Cmqmma32.exe
4732	Ddjejl32.exe
3932	Djdmffnn.exe
2524	Dhhnpjmh.exe
888	Dobfld32.exe
2288	Delnin32.exe
3184	Dodbbdbb.exe
2952	Deokon32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4940	4972	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1284	4052	493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe	83
PID 4052 wrote to memory of 1284	4052	493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe	83
PID 4052 wrote to memory of 1284	4052	493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe	83
PID 1284 wrote to memory of 4740	1284	Pfjcgn32.exe	84
PID 1284 wrote to memory of 4740	1284	Pfjcgn32.exe	84
PID 1284 wrote to memory of 4740	1284	Pfjcgn32.exe	84
PID 4740 wrote to memory of 4536	4740	Pnakhkol.exe	85
PID 4740 wrote to memory of 4536	4740	Pnakhkol.exe	85
PID 4740 wrote to memory of 4536	4740	Pnakhkol.exe	85
PID 4536 wrote to memory of 1912	4536	Pqpgdfnp.exe	86
PID 4536 wrote to memory of 1912	4536	Pqpgdfnp.exe	86
PID 4536 wrote to memory of 1912	4536	Pqpgdfnp.exe	86
PID 1912 wrote to memory of 1812	1912	Pmfhig32.exe	87
PID 1912 wrote to memory of 1812	1912	Pmfhig32.exe	87
PID 1912 wrote to memory of 1812	1912	Pmfhig32.exe	87
PID 1812 wrote to memory of 1108	1812	Pqbdjfln.exe	88
PID 1812 wrote to memory of 1108	1812	Pqbdjfln.exe	88
PID 1812 wrote to memory of 1108	1812	Pqbdjfln.exe	88
PID 1108 wrote to memory of 4796	1108	Pjjhbl32.exe	89
PID 1108 wrote to memory of 4796	1108	Pjjhbl32.exe	89
PID 1108 wrote to memory of 4796	1108	Pjjhbl32.exe	89
PID 4796 wrote to memory of 4976	4796	Pmidog32.exe	90
PID 4796 wrote to memory of 4976	4796	Pmidog32.exe	90
PID 4796 wrote to memory of 4976	4796	Pmidog32.exe	90
PID 4976 wrote to memory of 2028	4976	Pcbmka32.exe	91
PID 4976 wrote to memory of 2028	4976	Pcbmka32.exe	91
PID 4976 wrote to memory of 2028	4976	Pcbmka32.exe	91
PID 2028 wrote to memory of 1632	2028	Qnhahj32.exe	92
PID 2028 wrote to memory of 1632	2028	Qnhahj32.exe	92
PID 2028 wrote to memory of 1632	2028	Qnhahj32.exe	92
PID 1632 wrote to memory of 1904	1632	Qfcfml32.exe	93
PID 1632 wrote to memory of 1904	1632	Qfcfml32.exe	93
PID 1632 wrote to memory of 1904	1632	Qfcfml32.exe	93
PID 1904 wrote to memory of 3268	1904	Qjoankoi.exe	94
PID 1904 wrote to memory of 3268	1904	Qjoankoi.exe	94
PID 1904 wrote to memory of 3268	1904	Qjoankoi.exe	94
PID 3268 wrote to memory of 4356	3268	Qqijje32.exe	95
PID 3268 wrote to memory of 4356	3268	Qqijje32.exe	95
PID 3268 wrote to memory of 4356	3268	Qqijje32.exe	95
PID 4356 wrote to memory of 4780	4356	Qcgffqei.exe	96
PID 4356 wrote to memory of 4780	4356	Qcgffqei.exe	96
PID 4356 wrote to memory of 4780	4356	Qcgffqei.exe	96
PID 4780 wrote to memory of 2484	4780	Anmjcieo.exe	97
PID 4780 wrote to memory of 2484	4780	Anmjcieo.exe	97
PID 4780 wrote to memory of 2484	4780	Anmjcieo.exe	97
PID 2484 wrote to memory of 4600	2484	Ajckij32.exe	98
PID 2484 wrote to memory of 4600	2484	Ajckij32.exe	98
PID 2484 wrote to memory of 4600	2484	Ajckij32.exe	98
PID 4600 wrote to memory of 2000	4600	Aqncedbp.exe	99
PID 4600 wrote to memory of 2000	4600	Aqncedbp.exe	99
PID 4600 wrote to memory of 2000	4600	Aqncedbp.exe	99
PID 2000 wrote to memory of 4456	2000	Ajfhnjhq.exe	100
PID 2000 wrote to memory of 4456	2000	Ajfhnjhq.exe	100
PID 2000 wrote to memory of 4456	2000	Ajfhnjhq.exe	100
PID 4456 wrote to memory of 2500	4456	Amddjegd.exe	101
PID 4456 wrote to memory of 2500	4456	Amddjegd.exe	101
PID 4456 wrote to memory of 2500	4456	Amddjegd.exe	101
PID 2500 wrote to memory of 4900	2500	Aqppkd32.exe	102
PID 2500 wrote to memory of 4900	2500	Aqppkd32.exe	102
PID 2500 wrote to memory of 4900	2500	Aqppkd32.exe	102
PID 4900 wrote to memory of 2848	4900	Acnlgp32.exe	103
PID 4900 wrote to memory of 2848	4900	Acnlgp32.exe	103
PID 4900 wrote to memory of 2848	4900	Acnlgp32.exe	103
PID 2848 wrote to memory of 956	2848	Andqdh32.exe	104

C:\Users\Admin\AppData\Local\Temp\493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe
"C:\Users\Admin\AppData\Local\Temp\493256cf6c3b4abdca4f4e238cd5cf31eb303600f8d3fd0f9223081cad5a6765N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\Pfjcgn32.exe
  C:\Windows\system32\Pfjcgn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\Pnakhkol.exe
    C:\Windows\system32\Pnakhkol.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\SysWOW64\Pqpgdfnp.exe
      C:\Windows\system32\Pqpgdfnp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 408
        71⤵
        Program crash
        
        PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4972 -ip 4972
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
352KB

MD5
8e691741c19017e7c9db1dfc170d3159

SHA1
c5c5f058495d6860b6be0d6ebcf6e6deba5667a7

SHA256
488eddb9926a9ba06c08a80cb9443e883ceae14c63f788fe233953f4316908ba

SHA512
e0ba3df8d2c7a8b96f0b7eec67b518661678ef2d5c18f11d46b0fae6fc5c4e3881c2728d8b14c3c76071e8781c6ff124d0f3c77fdff861d0da5f7fd0218829ea

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
352KB

MD5
59020b5bd6e4275a68a6362cff8b8409

SHA1
6ae2e4082ca3d3db9572171fe8cd5c3f1094ceea

SHA256
a8042c64432c216dfd3c028d54c66358b566ec8ad3ada5c90b700c926fb20c06

SHA512
0fe057e509d8913fcae55ae725fcf67d2bf6912fb84d032eea0b335589c135b34f6d7411669ba42d4c4986804f1108ac3525ad70327086e5094b74786f0dd3f7

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
352KB

MD5
9ba97f219481e09be367087a29df5cd7

SHA1
d582890928964b5033147c58ddafb6f1c5dc52bd

SHA256
957a7e5d88e6306f0b59b13e67c588fc14e099e1e18f19117caf8e3c5485f3f8

SHA512
f0d4419ae75b6a54d4555f00fb3074c6c35be3da68d97906debb9e848a8f7bea7b0bff30b161e08d3d8689bb0f3acc808f0d1e217c0d4d2d60010ff1c9a48fdd

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
352KB

MD5
fb4f141f92d0252a090ad529422084eb

SHA1
956bb40c47efcde0ab6c238a5e93b5705f2671a9

SHA256
c4cdf4c5f91e6d10db1cfd9db09a86e7c17d493249200ef03aeaf57d0d6986ae

SHA512
4504bfa4388a8c574c0bd680e3e8bea47aa1867a6d9ea801c18510a5b706431de6c9963cf5dc09ef3d707eb16d92fefbb5e01b95c5601084e1149f6a14a9150c

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
352KB

MD5
0f551075fd7647d88f5e705ba25c694b

SHA1
2fbd42229a089d6ce281496376e43d47ce38e17d

SHA256
c4066d85dc15c00a08b5f6de16503e081b8e8a65a15564da43060092eea3a22f

SHA512
7e6e627272328b66c8c0785969c1abed41618337bed9a16f1ec81ddbd69ccb4da92d7d4747883adf16cc6e7f336f00758647c8ace834c5be46e022d3d1dd796a

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
352KB

MD5
11984f35196f9d253360f124e5ae6b9a

SHA1
3564e664cfc00c532522e333f7ac7b2ef1d25b5d

SHA256
7a438aa43cfa08612f6e8fc62c42b2d659b051bfbc180efc69362b7b2584ad9f

SHA512
300d6db1f106edbb354f9bd9041a931fbb66dbc25fe41f57a6beefc16ddaae5990c5951276b4d61df2e148b8c60839bed1a40ec9737711f452e474faa5036262

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
352KB

MD5
7b8ef33e58c75d063b31d7a3e12b3cd5

SHA1
0f900428b061c8cff6749ee3e7b1f04a08be3245

SHA256
63ca32ce641003da19d74f1d2fab3c39d59d05511d6c2ac26a26d5e982ed62be

SHA512
757ab332f0571f8a7f4206c5eae647c1399e5997bfc5e5022bf0f9d26c91e9447afdb4d1d33f01adccf09efa99e943a02d04514d8fcec072da1c894d5a8d8ba9

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
352KB

MD5
aac7ccef67a32272706b1e101285ebe5

SHA1
668e2ac5690b617ac51681fbba8cb8ce8adeb7ea

SHA256
7d47f62432b4fa2437cdaab4406f3267bb6a58c1e956453301b3aca386008006

SHA512
5cc48e0cc5ef3d2ad6e21d102a78083fa2b7dd0a4ed9635452015f8d8f0bb9ce06f72164230eeb4d3ee3500999c1a30ed38d87a8ff282a62fc90580dd4d2bba2

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
352KB

MD5
ac809fccd59ec55eb51e3269595f517f

SHA1
e344b3f2e3ea992fea1abd30595cdf1a47bb9441

SHA256
148d804065b2bdf099b4ab15423ea3198f140a2a3558c7c13bb177742b09db45

SHA512
9b4947813fa17a5c5bd9a20209c5db9aa515bac5edf7c32ed15849012ee4a7aa1dd51fa8fd1b580d9634b21bb8cedd076c39951c214c83cbc90eda3823838f07

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
352KB

MD5
5ff16080804661a5a173a3e1f9edb109

SHA1
9ac51001581c6e4ce0fb6c60ad9fcf98fbc3e11c

SHA256
c99108d9016a599814bb39f469fe629d2bc5fa6fb21b68c194e9369a1f836730

SHA512
0300f4563fa2b0b23af4a3b34c99216159458696b5166125df2f2773c8d67f840baa3c5dfa5a88ecc48490ae2a9521a065e66054d65f710c27b8ffa75f7a217b

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
352KB

MD5
b57b3170007310386d08c8d3ca8278b5

SHA1
d73024511c6772f967af24c891471cdf8f1d4523

SHA256
85254e6194e66e31a8abd60349677b80244433acdb3a3033d276fa2a4ae10cf5

SHA512
ce8ab87a1571b9711d9dc483fb53c77de42fe728316efc961a3d0aa555a75ecfc69dd490d2983e81636b9b7af4ce057e1be44d55142ca96b2421679091e93326

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
352KB

MD5
f569ef69bc7dcffbd808be6c86c7a731

SHA1
54f962ce6088b260aa818abb0b9edd65dcbf7d08

SHA256
32ba5bc5554d6447e75ffaee77c72e2a55c12162f730112d46a0770be082ccbc

SHA512
3f32a3441f355a6ecad2dc2e1c44c7163a96f21e9aa75c2540f69f2e12fd9812fb484a7b91521ea81cc15dcc146bcc44830f3a9b7026cf631d1d1185c356c067

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
352KB

MD5
bd2252e8316ffa75d2d7d0e727877483

SHA1
0bb9aaf237eebc3609b44dd486e60d319d833b7c

SHA256
3d79d6d4c49a2e4187cc963911e0ba84880575e72c02bb0d7831c717bafe6857

SHA512
01b18d921447e4b99f8fefdf36b2f15439f861750df758bcb2bbc15c193a481656046f6e34c1295a5ca71165ac5b0dcb71018a42781ee0c03313177469063c80

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
352KB

MD5
3b5f3599d4401715e522dfdd792cf756

SHA1
a7ee627ba18933e242365ebd2d333ac3be44be70

SHA256
c29554c7514b887a1ef91a6ba05561a512d177ff68d2347633378112c13fd73f

SHA512
40b36ce0631fd7504b733416276e11c509171209f32494ffbb32a95984d458cdfcd56ef8819c25467dbcb6f25185dd933521fb70462b6cc7540e245770f2f4c4

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
352KB

MD5
9da204334feb3cce0b3c81dd1b3dc494

SHA1
b958b961c9bad482a64bd9adb579f12489fd6044

SHA256
3acf231d124dd06a836fb50f3544ab22a0daf10ae6bc3a09371ff55db4897972

SHA512
739676f34295683d89a82056a26312d5885906cf730ddd12b4f731128f5cd674c8820677873ca69a173eeeafd824262666039f2549569c8e0a1adb2c9be63322

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
352KB

MD5
ea6cda3f77a0e5a98cd71449175f05ff

SHA1
07e962a60374bdce597c05badef0f590d4f8076c

SHA256
c19d139636b57dfb4e21bfe51c72076753a958509bf0f6c1bfd3c191700a8392

SHA512
4836eb73d883ca4423d680e891b69369aafcb7f9e0fb39aa79cd4fc540b629f3a2bd9434cacfce36a20762137d24131a4686459ace76eddebdb71e9a5fcb0393

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
352KB

MD5
85572b5b90b645ad02c9089f05c1968a

SHA1
4662db1e71def923f79321b6fad73a1daf1d5b84

SHA256
ff0722537e67a02da1943823ade24781d464ba03760f2d1bdd701e44879e7836

SHA512
5a630f888400254d1f3c38a3b5a86f48b6284fc9d34498f0a447384685a4a730646df304e5b7720e4bca2ee26a3c25ed09afd54d062fbf11f55cbf07072e2da7

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
352KB

MD5
4c6db05a17df51d8e2deebc4f0dbd48e

SHA1
ba2e543b8f724023389f9e4e7434e0098d9ed47d

SHA256
1310ff3b801f256610132aff838eee66ae818f2316c9c009b37b222cb3714c3b

SHA512
23b26b863d169961a20f4817a7583a9997c5f49a6376c2459986630c05b1956fe60fed5220cdac729d9a32d6e04837febce774de2c54b41b5a87f14711ab7d82

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
352KB

MD5
7f74a4603b91309d5241fb3479016738

SHA1
ecd8f564d6d0fbd5cc3218ccb0b2b6153665cf2e

SHA256
9675f5e23fa02e3376135810f63764ebe03006bd9c26aae2b90c59a1c1a0fef6

SHA512
9bd85734e7d1bf4af52499a505cca73fdf7c756f4c0a150fddcb8375f7ee3676a9ed6ea26eea5e44a21305479ffa3ce749fa87b7c67df4fdac8459bbd7ee49b4

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
352KB

MD5
dc00e30f176ee6ba2e7ed4424e209721

SHA1
a9c02da0103a10c7ec00aba5bcd76823432068ef

SHA256
6df9a7fcb7d843e24b1a5074cf5d09acf03c1d21f8597079cd323b25040e27db

SHA512
626e8b3a5eef45817c970711bfc2131e0fe1a930024abda19839168b6e0c22f1404b1e1cd898d1bdcccb808c9bacb09ba27f826714ace7eda92c8d7292c2cacb

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
352KB

MD5
337fd44e6bb2f0054dab1983a894eba3

SHA1
8454e37440f9d47ee3252211cb43ef3acde979bf

SHA256
b3a43e1437556823a2c13414ebb2126ec64a541e003c6fbba51695467c41faaf

SHA512
07853a913b89ec770829898bd593cb8c2faae85bb6d8dc76b60ef599d41b124e67a2e5bfc8a73a83855f7762157fb441fb4e78f8d7731a84472dbcd68a9330fa

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
352KB

MD5
a06f128aa2dc70227bcf83e9d74b00b0

SHA1
180c6d7ae61bd26fe8c7153310a6d6789956fc02

SHA256
2ccd63a263d20c71ba78575db5a2747545cc40752d0f1cb035beab421fa37522

SHA512
bd2e623793afba88014c1995103dc7c009b22a5371c2aa5ace4c2bd1c0fdf7e45859b188911b1f0360199faec4139cee68dca1b2000d55cd68a77c916073a993

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
352KB

MD5
69d5361268eea39587932e4b9b71f8be

SHA1
2f2d576c0f87d9401de8052d8e371de23f9dbfba

SHA256
edd553ca5f52198bfc32477a3e9a37c0db432223fa833c360f7e52ed40bb8920

SHA512
742b8250e396ff50534c0558428e2139dc0a6054832bf5e5467b326166e49e0d56e233d2b097915b3bdf90f068e1c056a8ee08c7154c282d595c3e83adfccd01

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
352KB

MD5
d95aefe03ed7a9f570b10b8b48e488f3

SHA1
63ff104e9d3dd9671bd374a29728a5af17962799

SHA256
54adeec5cb2293d12e817f77692c508174549d6f46b653df6a6f8ad519dc7080

SHA512
9bd108a26d24ad5499b468f88a9a0d4e2bd45e07bfe86b385666cdb986f9f347418dfae395438612a339272e4427f3b9599ad0236121de5ae1d559c79fb85e98

Download Submit
C:\Windows\SysWOW64\Dbagnedl.dll

Filesize
7KB

MD5
cb0085991300d4edf70661320f5600b8

SHA1
cddee1558c511987d94447a8851b3bbbb5d8cb18

SHA256
4e41bf857f07cca2e3175c2d01f92365ce02f6c7678d04709276e200f5c7e970

SHA512
d30a8eae929e6620fca75b94917cfb2c0f749d0cd2a2fe53c887b3daa102d986b2ced0cf0865ec56939953b952129193bea2d26db97aec6f036eba5d0b94da34

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
352KB

MD5
e59803ba513f3749d242288cbc2ff38f

SHA1
190adf89c0dd5d3f39eea2eb42f67dda625fa6b8

SHA256
7be393036a17e95d91d3afd66976fd3060f41d2f456ff042db18edc193540914

SHA512
af36e8d8e2cb0eb1a9955b68101a278573d26a9bb3510d54b9056b23287074c30b11a6c42f86e1329c29ddaad409b0ced515740efff125c71cfebe08890b0910

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
352KB

MD5
12fc8c47c2376510beaf8f27854166e5

SHA1
a1ca11d33dc96895e0a6378cb1c88c0b670c2ff9

SHA256
239df0faa73e61716ae13e14513e041aa9c43a0ce1a87e1a7d63f94aa09a64c2

SHA512
0a608d67529034ab7f951706e947ed269734f93435e640171de91257dc78f52cfdfc701fed526c00780e19174d370442359de0488ec7aa96c2e57f88df0f7abc

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
352KB

MD5
1ccdd4f3c1af2cd6cbd37378db1a90bf

SHA1
d37674fdaa5978cfa3ffaf25a37b7b18dcc3d94b

SHA256
505291997a8022862c2184cbdffba51a961ba0f80a411b5c3fb402d08c2479d8

SHA512
5c0b589ab9e59bcafdfa2c910bd6468bfb141db789d21b52355dd353130adeb7100f6bb42777915c3c905f7afc7753668862fd53a7d22a1aef094d6aa5861e95

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
352KB

MD5
40135c17af46a4ee98edd367e73b6aeb

SHA1
9b47d9379e43cf92116c6d9ffb4990bbe49a3bff

SHA256
902a387246e0b853f6b509eef3194642d02b63571c409d76ac907958ca923037

SHA512
1493388f9518c8d93fb5db369cbacee2fa04cbb993ca24978ffd6d72d89725e99dfcb3ae11b2bb578747e8c3bafa4cd72b2013ee3c53b3427548fcc5fba467ab

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
352KB

MD5
5f888846955eb78aa68274efee0e26d9

SHA1
f294b074bbbfe969cebf6d2236ab6e88a410968e

SHA256
5ad9225b80e18156d27d01f6c4956c36d5e0eb22240bb00b23198a541257adff

SHA512
923b2bf46eb370ae7e39e3d4abe0e0f3559cf936c282d5812b1eb0ebd98906312ce7be7d941c8ede5fe1f449bc13c4b087f16f9833a8e49cdd76eab3403caf8e

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
352KB

MD5
3b0b18c8921348bd9d9fe9a4b27aa1c5

SHA1
4b56a7babc178af01e538201dc03a4f9d6be705d

SHA256
c4d882fed038871831738e282e98307147f61a2ec3c63cca8c9d61c991c562a3

SHA512
addb019ef4e448eeda4f666a05b844ad7d8b331541aec7c72c2583bc7739036609b85300019447aa17797c7197c2e961fc0eb6a7749921a98a83271a0fd21415

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
352KB

MD5
76168429a032bec508ce940fb37c6299

SHA1
f39010315b75eb3911a40e3c9308c289dcacea38

SHA256
1c461596e2ed017c00c36350aeca977a532177f585fd8328724a0707637163ba

SHA512
0910e2f405f59b19549f6523aa443d777da6f240dd0f1cd0595dabb100b1bc14fecf61918b9eec02c59a48ef989f129dd7e3eebf2985bdf19305c4d47c51369f

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
352KB

MD5
fd5a2321da84f171ab1c13497e85a429

SHA1
4b2471ddbd2b538bca386ed6a5187789d228f019

SHA256
17ceb79245c087cddf2c9aa2cc69214801a1eee63b21880a07881ff3df004f45

SHA512
66c2f26acc51db1473935ca00d0491b8551ecf4eef89182912d1fa2e7b58d89e2eba13af6d22b5c479f1841bdc69d4b33bf9cf26f4a345ecd163cb48dba0b845

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
352KB

MD5
5b1937c91536ff5f9ba011c6764f7906

SHA1
d884f11558ae970b4451d7f7795375b33450c260

SHA256
f0f647de7a28fe2ab5d20f01be07770588b7821ec361bbd9c2f2aeb6ab0d1bac

SHA512
be1b2ca322e53f8f5aaf714b744a2d6637e42f2cc205c8ba96a4b45f7b9a4d0213c1f4c6ace033211dc47d23b3cd4066608592793124c9065af67eaf61db0d1f

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
352KB

MD5
49e63c85b0f1f65bab4ec28deaffd626

SHA1
ab8695b02815ec06d5b3a605630fdf368ba2219f

SHA256
ad32b5df4f8577ba8451fe6bf3cf3afe27366983e2c3a76e04f4b8236ace8b80

SHA512
23db9e599770c631599bc644748fbcdfc2336397c586a18ee0983552d290ac0b313e10ff8d8fa7cd3451c3b5c60c8aab455e195dab9a09ccea7fa455662d9afa

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
352KB

MD5
4bf796b3736bf7f088ad7e2227dccedd

SHA1
9dbc807b70d39383d015e1a0f97bb71816553241

SHA256
09c299f70a12288f2670592a9c4c3c60baa7be14fe62029acf2bf4691913a0d4

SHA512
e609e7bf97ad58b42ee11716400f924cd944241d1bee38666baa12b90dc73c89f5a3f75063aee7b7bad7f694c738d7cec1548f0a27f3f9fd5c14206395d364cb

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
352KB

MD5
f9a26a1b0c3941d83e219324baf6287e

SHA1
82c36d412b0159709c7e96b4cc7b5d846ad4b34d

SHA256
e81c8085bf8cb8a69081a8f87f080c6cfee0897576ca9d49cbaa779573dde718

SHA512
465bd4242a798eb91b0518d883537fa0b1f03ac2bba53cdc230d0a0eca9168f24235f03ce415fc57a83068d8bea303ada334dfece65537405303cee6b4759a9f

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
352KB

MD5
b62279b0a9c6dbcfe82490bf2df3215b

SHA1
05e302e295e099316b4361a8e7bac916585de02d

SHA256
2cc36d900c1b8db29979acd9db1e8290f3b53bd467cf00998f735596536db3df

SHA512
051a5c6d9bbc57035daf525ca4b29c305b03841c26a69372a7d7fc548aadc7bf2f2085440682a9897426b6b2b4e4e8693fee26c3f21e34901569efedd9012a84

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
352KB

MD5
6ecc6bdb97bfccecee4fe9f20259e1e7

SHA1
f094810e408f655ef79039ba6ed12916eb5c3442

SHA256
1bc956775d42260d2e7c0cc58e4fdfd74f1edbff84a73575a6cb9bcab7903238

SHA512
46c18ed377d9c426d385683bdc086c64cc668bad8004faeca398c88b643a334bc09aa4c2e30d15b779a2b62ad38ee402c39703c137c0e1a4cb410135fca6af5e

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
352KB

MD5
8fc0b3c0828832889b7c3f5c7577fea2

SHA1
aece6971d0b1426003063660626a577d94a53d26

SHA256
3dc15a0a17fcd92a95e1fb652432a0159a34c102b06c62aea1aa5424e9c4e6b0

SHA512
37acf64cb59934398c62b2567c1b7310e25c98ed6104282b8babb862634420be6338f9ae8208abdb8dda92316b91493902bbd3aa6c4a9f1cd30d98dfb65afb46

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
352KB

MD5
8fef0a15e839c0330acdd07dfc3d1d78

SHA1
04138f640e2732c9548c735dcf1c7597367e47cb

SHA256
75fc07dcdc78091da2ace169fbc905a9838e2b2b9c01a1464c68f9e42d9cf3bb

SHA512
5d0b06c5beab73b9e7a4529588ebe1d5546eb1d6c07a96c2eb51bb3e2beec142a7024b92dbe7c6e63c460259a8b2c514231e2844ee3c4a65024a1a4d282e713e

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
352KB

MD5
fb574cf4bde1b8b458531e69a2d649c7

SHA1
9b6c4c8a96b28107a8012455c19601f0a0cc5539

SHA256
5d1fd37abf66034f6c34bbef899c7b0edd0ef1d0f15e98e06bbd0adbaaa7855e

SHA512
b5c71d45f86c1350082852e6fff7102f1a66f889c008e9cf4db88b333793434a2e54e55c7290d3ee3dfa1e7046c8938715d08f128c4777d09389c9d294ae21c3

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
352KB

MD5
7863d234dc05f679392180254308eb28

SHA1
5ac8c13ec883650e02bee6af3c62c4971e18df89

SHA256
170982b3375db0714aa17c220f94eb32ececb6ad027ad1443d9c9d7fb9acba33

SHA512
fea521f7fc14f5abefce94a844744b73e3bc7f46019f83b97978ff887a8dfebec500174eda7aaffd99179383a632814c352251294b44c1f0c4e6127e985dd475

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
352KB

MD5
71059479986ff11f72cfeec051600f26

SHA1
cf12dccca3c6ddbd64987f40812bd9d3597e40fe

SHA256
76915819907d3bcabd4d4a0317ed46a5dbbe91ab6cf6ffd8a8edd5602a4a5e15

SHA512
eb42222e283727096a682917b2851f74295bb2f16f7711d5876de5858e126ec3c543ae333982a6c1301df98dabc1a53f901d499182a5c3c1d7907702d9a9ab2e

Download Submit
memory/372-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/372-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/508-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/584-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/676-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/820-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/956-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1108-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1400-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1400-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-498-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1904-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-493-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3184-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3184-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3196-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3260-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3260-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3280-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3280-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3796-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4296-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4900-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads