berbew | eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe
Size

81KB
MD5

65b4b4144bcedd363d9fd4831a5aa7e0
SHA1

66b3854048c96f1439317f8a8f57783c88a319ac
SHA256

eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6
SHA512

0ad77e397384922c8a52412192147d1050e69cae46ddfed677e3ef1bdd61bccb0a16027cac2e060e13e427e749fa7881349b502419179d9419609b281e0a61d4
SSDEEP

1536:Bo7oc1K9MM0QEsxaYKigWm9cPdh7H7m4LO++/+1m6KadhYxU33HX0D:q7ojpjKigWm2F1H/LrCimBaH8UH30D

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3292	Pcncpbmd.exe
3552	Pflplnlg.exe
448	Pmfhig32.exe
2116	Pcppfaka.exe
952	Pjjhbl32.exe
3512	Pqdqof32.exe
2100	Pdpmpdbd.exe
532	Pgnilpah.exe
1408	Qnhahj32.exe
3772	Qdbiedpa.exe
4972	Qgqeappe.exe
2912	Qnjnnj32.exe
4648	Qddfkd32.exe
4900	Qffbbldm.exe
3152	Ajanck32.exe
3628	Adgbpc32.exe
3324	Afhohlbj.exe
3620	Ambgef32.exe
1296	Aeiofcji.exe
1696	Agglboim.exe
2416	Anadoi32.exe
2816	Aqppkd32.exe
4116	Afmhck32.exe
4344	Amgapeea.exe
3812	Acqimo32.exe
4396	Ajkaii32.exe
2528	Aadifclh.exe
916	Accfbokl.exe
4788	Agoabn32.exe
4548	Bjmnoi32.exe
920	Bnhjohkb.exe
4292	Bmkjkd32.exe
3460	Bcebhoii.exe
2532	Bfdodjhm.exe
2940	Bnkgeg32.exe
2316	Bchomn32.exe
392	Bgcknmop.exe
4000	Bnmcjg32.exe
4980	Bmpcfdmg.exe
1360	Beglgani.exe
4372	Bfhhoi32.exe
2476	Bmbplc32.exe
5108	Beihma32.exe
2956	Bjfaeh32.exe
5104	Bapiabak.exe
4496	Cfmajipb.exe
1300	Cmgjgcgo.exe
1128	Cdabcm32.exe
3540	Cfpnph32.exe
624	Caebma32.exe
2740	Ceqnmpfo.exe
3704	Cfbkeh32.exe
5080	Cmlcbbcj.exe
2676	Chagok32.exe
4432	Cjpckf32.exe
1804	Cmnpgb32.exe
4852	Ceehho32.exe
2608	Cjbpaf32.exe
2332	Calhnpgn.exe
4808	Dfiafg32.exe
4912	Djdmffnn.exe
5064	Danecp32.exe
452	Dfknkg32.exe
5100	Djgjlelk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	4824	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3292	4764	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe	83
PID 4764 wrote to memory of 3292	4764	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe	83
PID 4764 wrote to memory of 3292	4764	eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe	83
PID 3292 wrote to memory of 3552	3292	Pcncpbmd.exe	84
PID 3292 wrote to memory of 3552	3292	Pcncpbmd.exe	84
PID 3292 wrote to memory of 3552	3292	Pcncpbmd.exe	84
PID 3552 wrote to memory of 448	3552	Pflplnlg.exe	85
PID 3552 wrote to memory of 448	3552	Pflplnlg.exe	85
PID 3552 wrote to memory of 448	3552	Pflplnlg.exe	85
PID 448 wrote to memory of 2116	448	Pmfhig32.exe	86
PID 448 wrote to memory of 2116	448	Pmfhig32.exe	86
PID 448 wrote to memory of 2116	448	Pmfhig32.exe	86
PID 2116 wrote to memory of 952	2116	Pcppfaka.exe	87
PID 2116 wrote to memory of 952	2116	Pcppfaka.exe	87
PID 2116 wrote to memory of 952	2116	Pcppfaka.exe	87
PID 952 wrote to memory of 3512	952	Pjjhbl32.exe	88
PID 952 wrote to memory of 3512	952	Pjjhbl32.exe	88
PID 952 wrote to memory of 3512	952	Pjjhbl32.exe	88
PID 3512 wrote to memory of 2100	3512	Pqdqof32.exe	89
PID 3512 wrote to memory of 2100	3512	Pqdqof32.exe	89
PID 3512 wrote to memory of 2100	3512	Pqdqof32.exe	89
PID 2100 wrote to memory of 532	2100	Pdpmpdbd.exe	90
PID 2100 wrote to memory of 532	2100	Pdpmpdbd.exe	90
PID 2100 wrote to memory of 532	2100	Pdpmpdbd.exe	90
PID 532 wrote to memory of 1408	532	Pgnilpah.exe	91
PID 532 wrote to memory of 1408	532	Pgnilpah.exe	91
PID 532 wrote to memory of 1408	532	Pgnilpah.exe	91
PID 1408 wrote to memory of 3772	1408	Qnhahj32.exe	92
PID 1408 wrote to memory of 3772	1408	Qnhahj32.exe	92
PID 1408 wrote to memory of 3772	1408	Qnhahj32.exe	92
PID 3772 wrote to memory of 4972	3772	Qdbiedpa.exe	93
PID 3772 wrote to memory of 4972	3772	Qdbiedpa.exe	93
PID 3772 wrote to memory of 4972	3772	Qdbiedpa.exe	93
PID 4972 wrote to memory of 2912	4972	Qgqeappe.exe	94
PID 4972 wrote to memory of 2912	4972	Qgqeappe.exe	94
PID 4972 wrote to memory of 2912	4972	Qgqeappe.exe	94
PID 2912 wrote to memory of 4648	2912	Qnjnnj32.exe	95
PID 2912 wrote to memory of 4648	2912	Qnjnnj32.exe	95
PID 2912 wrote to memory of 4648	2912	Qnjnnj32.exe	95
PID 4648 wrote to memory of 4900	4648	Qddfkd32.exe	96
PID 4648 wrote to memory of 4900	4648	Qddfkd32.exe	96
PID 4648 wrote to memory of 4900	4648	Qddfkd32.exe	96
PID 4900 wrote to memory of 3152	4900	Qffbbldm.exe	97
PID 4900 wrote to memory of 3152	4900	Qffbbldm.exe	97
PID 4900 wrote to memory of 3152	4900	Qffbbldm.exe	97
PID 3152 wrote to memory of 3628	3152	Ajanck32.exe	98
PID 3152 wrote to memory of 3628	3152	Ajanck32.exe	98
PID 3152 wrote to memory of 3628	3152	Ajanck32.exe	98
PID 3628 wrote to memory of 3324	3628	Adgbpc32.exe	99
PID 3628 wrote to memory of 3324	3628	Adgbpc32.exe	99
PID 3628 wrote to memory of 3324	3628	Adgbpc32.exe	99
PID 3324 wrote to memory of 3620	3324	Afhohlbj.exe	100
PID 3324 wrote to memory of 3620	3324	Afhohlbj.exe	100
PID 3324 wrote to memory of 3620	3324	Afhohlbj.exe	100
PID 3620 wrote to memory of 1296	3620	Ambgef32.exe	101
PID 3620 wrote to memory of 1296	3620	Ambgef32.exe	101
PID 3620 wrote to memory of 1296	3620	Ambgef32.exe	101
PID 1296 wrote to memory of 1696	1296	Aeiofcji.exe	102
PID 1296 wrote to memory of 1696	1296	Aeiofcji.exe	102
PID 1296 wrote to memory of 1696	1296	Aeiofcji.exe	102
PID 1696 wrote to memory of 2416	1696	Agglboim.exe	103
PID 1696 wrote to memory of 2416	1696	Agglboim.exe	103
PID 1696 wrote to memory of 2416	1696	Agglboim.exe	103
PID 2416 wrote to memory of 2816	2416	Anadoi32.exe	104

C:\Users\Admin\AppData\Local\Temp\eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe
"C:\Users\Admin\AppData\Local\Temp\eb58081103538a96b6ec7ef2078130ca1e29ee8e12496eed51f07830104562c6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\Pflplnlg.exe
    C:\Windows\system32\Pflplnlg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\Pmfhig32.exe
      C:\Windows\system32\Pmfhig32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 408
        76⤵
        Program crash
        
        PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4824 -ip 4824
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
81KB

MD5
0dd45c5e44a2887a23127bb5dca3403c

SHA1
cbb36759209d42184718ed5abc7923fdb1ba185b

SHA256
50a1de1b9a81f2bf74a14c0ad165030037ddb4189e2053ed715c9d98dc4a46a5

SHA512
e2f63ed4dff962d4d35994ab2c6c1e2e83632057f150e26aff904a7559b45ae4d27f3b1531c049ccf02040385b013bdcd126e4aec7068dc8da50260040e610ce

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
81KB

MD5
fb8b9c4f482f912cb9c8797184740775

SHA1
a5cc298dde81055112401b194cc7baf60d043d9e

SHA256
da2605c6627357863eeb8801f960a8e0b16c9093539369329e78ae8996ad6ff2

SHA512
4efbcf6f55037a68ffc3ccd9c8fc8720641f488f449fbb706243dabc455e36a388dc12237624eb18419b44099bab5d4e45f49f6bd712e4095a45e3583377c2fb

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
81KB

MD5
5c3f0bd38c8b2d9570631e2c872ab945

SHA1
1fefb87adffcea0371274524484d9f636ec5cf7d

SHA256
11677e96bcc09d1045b9fc1872a91ac0ff2700d07fa7ff3be3651465d0d6cbd0

SHA512
e831963f4877a9f6aa6ae0bba08db3551bfc685ea5eb3cf6c57087a871b7c38eb5f2b9bc0b390de9d9935f58037ff6d4e63e2b9d2592099c4a74d90f5b9ba119

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
81KB

MD5
a118a0c8516ebdaa04a875eda8cd68d7

SHA1
5fcaee20dd71b530d885b041ff56d5c3b15fc357

SHA256
d55a543041d38bbe17d4b76bab123ab17551ec352ed9b86c3d687733b1765fb4

SHA512
05cfffc269c72be6a71c3fc24e03436af7fcd5c6dfc36a62dd0bd9a24f9b8aa779c3c9c84bbf4758ddac58b8e3d1f9a12cc06710a3ebccbe0ecadc51329ac013

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
81KB

MD5
25accbc91207510e87b5b42be88ea0e6

SHA1
61fa3972bf8626f12faf8cab5a7b997e4e421d5d

SHA256
3519b864d436c8d254bf512c1a564921bbe67595515c1539fa72fa6140ee0968

SHA512
63f69a99bbaed75d041c18e1ef50a4934e1b38e271d38ff65700fa291cb13c72f4e72fc91b4e5fec5d2aae9dafde494c42efcd1eae1d12ced8bc879eb026d544

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
81KB

MD5
32e5f60155a9efd4a5c67936594ea281

SHA1
8f7a3b092c1a388c3fe3826a4989dba74a1efd0e

SHA256
3c4a011cff64b6005cca8d9d0cd2d29755c3862fdbe23d8f826d6b9d0a6f3775

SHA512
036595f40a5331004e8e4712c80018555363bd9e4e52517eac0eeca201754498c06d4542de35d1f30d5a3fb39383ca8f7227d6acf8af974329e6bd633cf11975

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
81KB

MD5
a526633476a89c39759d2e7cb5246ff3

SHA1
e8984fde8a96005a617fd558c237e6a7754c2d38

SHA256
f5a2e8a456112688d756d241ac941e9cb3b325c0f8b1fa3a2bc119dbf74d56a4

SHA512
9e21eb3e25a4e36c8def5a9822116dfb8fc1659912a7866999902bb8235f0daffa42c955635e540e856019f0d23a6b2d111aefb93d8e4d3bc9d190f70622aee4

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
81KB

MD5
cf2813d8bfada21e6e0c097f556ab024

SHA1
7b4697d53abba4456faffbb8709c6bbfec16e95c

SHA256
5dad5f85d1fcd6faf4602e6535e95336022e3211738db21e369eaa1e9675fbbb

SHA512
cbacc0e52d2e0a0cc74892998279f43e67364f352496cfb50bdc083dc8ff2bf509fe731b34c9950b146c44a008a7693b61d49e63e6b8de71953f3399406fe2b5

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
81KB

MD5
34949d2010e922cd161d20b95184b569

SHA1
c209831ab686130652fb4c7725ae571e4197cb2a

SHA256
de428d968d1d2724dc9f03114f2800e456e93c983d178950615c04e8b6707e35

SHA512
e54eaffc02cf623a8d06f6722618b548cf3f326659134e54260b46b5650c96b26d80018dfc0ef473b59ecd89465edc2e5c422192bc379403b0930e57be328aa9

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
81KB

MD5
52faf3a28407e3b1209f0ee079f796f5

SHA1
6d56d322c020dd28ac4f346f8572b637ae0965f4

SHA256
fe1a26a2aa336740cc7fda9f3b11374d29fec32c17cf4a350f4be8b33c7a77ee

SHA512
16dd35095968c54181d1060e9bd2630187ed9bf2c1921f553b84c8eaa080c9f4f53212e313948139e8ff581e2267d9725c52d8fc330cbfe128bd0595201dc9dd

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
81KB

MD5
70839f41abc51d7992584196c3a97f81

SHA1
39b5169711ac2f19f5758344b2f341ed48fbe5e0

SHA256
f108edb295e71b5805a8be1db2d48af174296f8141149e1a2616f5f698cac909

SHA512
54ddad3c7a9dbd22781f5c76c22bc6536963981c5eaa7ba73eb92d0c6bef0a1fc5f376c9bad3471f719b0becb5b3d6450c023dda9f8a24f2103fbc593c6964aa

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
81KB

MD5
15721a2eb691dc9088a10af4bc6afb6b

SHA1
952d6b1d0c987faef55d339a709a1c13c216f567

SHA256
6d918abd0cb63f12815db92cf65ba6352980ecc3a32c2903e64d8897658e0acc

SHA512
7093a3781a6f9d34e2b7e919f1babf33f2f5d285822e5a425ee6afb8a3ee3ca4c4ed8ab05d423e5fd88a2004bb0fe4167a06fee9a46896369e65a4bf87298fa1

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
81KB

MD5
0c7f0d33b7d244f09779da373039698f

SHA1
616a23549880c99c349171163764ec1a3f718620

SHA256
7ca904df05b911e7727afe439fff10b171b688d7630b7f111434118b78f5a6bf

SHA512
b5e18c594f982bd717b9115f44768d789fa08ecb1bfe18c033d1444001dcef34fe52c3a04f86c50968bf9d74878f93a4efb0c70a1bc2e42d79d089107b699cbf

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
81KB

MD5
e7931f9517ff84b38adbee1d760e2227

SHA1
7ce5586852bb02072ec1856a5778c19258cacdbc

SHA256
ce764ee51915e6914a57d74b4f677e13201cd9de6d2ef9955e1e6aaea820fe84

SHA512
0b84c2e5dec1e754935407ab48633b73b9a77921c9b90d9ba57377369683f5f892554684566de1f696e262382eaabed7aac270c4ffa3fccd5982cdca079bfe09

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
81KB

MD5
68f394dd222d7fa36dfa2caee0eb52b5

SHA1
3f34a8e169cc2bf9916a8b8240bd5e29861bd9e6

SHA256
d46bd4e3ad52b65b6d40c1e1f76bc39f28716fb45dca7ef4e8247913845ebd78

SHA512
c23f297c24ce9171273eb5638b80361f9f125cbe0fc491b5c8d6100f1a9f84aa5a3699ff1252724c54d786ff8489ea5502b475ddfc284910854f24fff82637e4

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
81KB

MD5
ff6135473fea30f2cb1befe50b75ac98

SHA1
f0ce7d543a1c4904c2b9f627a9f8f7c9b3462a50

SHA256
3739fec247b74576c6ae2dafa20465df318c202fbe3181901c6a4d91e172bae1

SHA512
c32af4b800423732f16f5e22a14821ac9c5162ffb99484b6f8a57b64a65eb15347d16656c18250d7650950d3add65ac84054dea327b7656a0b9eefb9539ff444

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
81KB

MD5
7628fd800730b21bb59b2d3e97069952

SHA1
33af7b114a3b19211fe5914932181ad3228f5f2c

SHA256
229e8bde4f85529379f5344b2ac5ec9eeab2fe6d4e987a2b34aaef9b5807cd1f

SHA512
d73b21243eb0cc3e13467e080b7b5aef325020406d33707ee1cf1347d3d27a7469056180231e7ee00bbbaf6c3cc3ab8711c72a229528d8a9c40ad5e992be6cd2

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
81KB

MD5
0decd80734cc1aa6b14588aa3fbed11e

SHA1
9a961e7356a45cce44250fbec952fc0f5824468c

SHA256
ba4684582f43b267dc56187b79a2ae5b442760c3883f632981294696edf54163

SHA512
8332f30ba4a8ed3da58651fb4df49fbf9452a4ab72e40144ddeda0fd0351aa4a4e93898ba847eabaacc79ad8c18996f5c5b99120a7fa335cdad38ea2d3f6a9d0

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
81KB

MD5
ad222eefbc2ca0bee14d282f5adbc1dc

SHA1
df3288b592a1a33d840b85bf7f7852801f5b155d

SHA256
b38ff3c7bff6058e65f67e9952d2bf3832240a50a2f908d79e6f54a056560e29

SHA512
dbec7a52dce30f32f8a9e5086cc2cb7d30eba55221d3ad5366972bc49a1604760fd76d564a6b6cecd5f2acdae33a9da1b817b5b557afbef6d97d9eac317d7e51

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
81KB

MD5
ed9b39ace4889ffa21fb639d2b48217c

SHA1
102f2338f261ac49e31b7fe31af5817745dfe416

SHA256
53cad9cccb228a2fa8ee33c5ba9772c7177057c985400897e13286b48d8aa180

SHA512
31bdd355d992ed8e415d41921c8004307830c7911c352c886a6cf6e6ee7072ee39b7788d873cd620448ac61a969b1ace85c2b86f12d0a3ba445db6c6714fdf8f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
81KB

MD5
1bb16a6055d8a945d35a94c22ef69db9

SHA1
9f84cb06f14d875b280369b28a0b51ccfbd6bb5b

SHA256
40a20a17f39e397247edb4b0a9c31f190ebeabcbf60c8ea45cecb413fa3b59ec

SHA512
ca9a58e72f3f8eac1ca8b575279d42d2757248b3f9b81d7eae0421af1898fbdc666dcf844de849b524f62397a4fef5d37f4572ef101949a417c70f1ea0d3f512

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
81KB

MD5
67431fdac3403a1fff3b116939e59ae4

SHA1
0b05d23a47915c94678f70dd44b3100b0defee21

SHA256
17e3d2fb7a0b134fe1271040b797c6680217244d410f3da3028b4ee090ef5b75

SHA512
8c8d8ba48d8b74a110c63a74d4389067d53679e74f6bd7705fbc8d13ebcde44c2365ca330aeddd7f12de2964f6c585e84aeb64a55a04389e2fcf37ef5d603291

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
81KB

MD5
43d8040ecaddc1947ab8b3081ab1e5d7

SHA1
b92bea451888445724b5f9d364abea581ab0525c

SHA256
15a9052881f573ad2c9f889b79610bc9beaf2588b549fd6ee829bf063d1e3499

SHA512
c0937d6518e44cacdf2a64609f5657495693231b09e3e95d138a5e854e12a1aef84327f8d8854d8430e4f208b0c899785c567269eb75075646d4585ed3c567ce

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
81KB

MD5
4389f61a485938fdad4973235d471d7b

SHA1
305fe518752502fe365615efb54d782c3686eae7

SHA256
e54576a70c1b2bf4888e5a515ec96f59f108c1cc0d3f694eee9d4cc559f746b8

SHA512
3240294620081bcf1d175d120847d949ffec6d6907a984b51814b7cd73b5134043c9df520d410489f937fccbebf5b0944d4b390b71adae84f2b7ac9050d11cad

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
81KB

MD5
2bbbe34ff22ae2eed2ad4f7757bcef73

SHA1
66b0fcaf95a631daccf03e022ebfec4bd35a1137

SHA256
e64da484ebba6c081afa21fa924b48cec3734aa292c0da8af1e8e57f43dc8ee5

SHA512
f86d53a5140e7af74d212719666292e4c104d11c7f3e3efd0126eae26a459ead4bb9885c25f7851bfd62f4bcec6294064afa18b63b02098645350dfc4fb2271e

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
81KB

MD5
558c2af5b978727c983f503decd7330b

SHA1
51206cda3c80c256472101316290eda41198aa03

SHA256
03d71d442f3383a4cecc40ac66fe03108c25dd753ab549770897be0792483e74

SHA512
db3f9d21364382f567429a33476bfa62e7a516c7f3246adf16365ed3ea23dbcf9e6bdcf39227b3c30944d73f77614f47b788608c838493186ffdda5a029fd827

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
81KB

MD5
dd77d01b7987c88315fc164d8fe6d4f1

SHA1
39afc299f468c22ed2e56a81fb440405b5ddc9b8

SHA256
cdb4218eafdf9ffa6c8c9b5889f9c0aca0cf80b0c199b9a44129b0617fd7ab1a

SHA512
a5e45fe1311883369880d81b2a1d06b62ddce8b99903e2cad7eb2f560136e26e834a72f0c2adede5b41f7200fab2879d14dbcf67327a08c095ce72cf35358cb1

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
81KB

MD5
cc584ed7141f5d5d637b4cd5192c25f9

SHA1
61170d7da23016e0ad82388757cd3bcdaec9ae9d

SHA256
8e5e2f67f56ddce06ebbfdee5553594587b45384b41752e462c386b2ba3a46e9

SHA512
ef1d52dc2c3c20095344d656dd147d3bfdb31d0b37b4f5dd3add9544c504013d0f88aa2a4886700a5b590c77e3779a54f7bff0e409d9ab2b3e11c5872c67dfdd

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
81KB

MD5
8d73d59855e8a41d3faec15fc3ce4d45

SHA1
d2def1755b6d90c7c7eaf7022513c73fce9d0153

SHA256
a0c9b195732c3e900f9d7fbb1433c800cf21a8ee308e3d6ece3c8abc209b5ebe

SHA512
8933af22f80061adbb0d2163ccadd40d723bbd2e776b0daded48dc8545b72d8ff287337b3375fe818f0a8dbfd06dcae7beb1cd55a01f9c228694e18a4ab5ed12

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
81KB

MD5
62948bd33fd438f640f73941b39ab6b8

SHA1
9658c0644b05c54dd5fcad788e45518ff315ec44

SHA256
89463af1adfc83b693e57be774c09949d2d94bf8c649794f7b2bedb23f46c446

SHA512
d555f333950898652ce9f294064c2744dbfb71a5438e6ce068744ac222ceaa253f5ba341e98aae01aeb31cd7833465ffe7ee8f742e94ff5a6e3feeae8dec5050

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
64KB

MD5
dcd5d21fb351861146495dcf11e45b75

SHA1
a17965add2555e00742df6ed70b8a0328445d6aa

SHA256
d375fb7023763dcd84108714ba21edb0b5d471f7f1abe05fafae9f33dbc1a4d1

SHA512
9ec43a4d747068a231c8f6510c869c33174d2ca6f3a6f417adf992d8e124039386da2efb212dd2f70d3442c54be5b627a98dec01ca73257a01635773d9331d4a

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
81KB

MD5
517ed3ab233599d2bb2ffd28ee23915e

SHA1
371d388cbdc1fdf75c0df53b9d81dd1dbf18e5a0

SHA256
11a7f283d6cb1e5887e5a414c8f6e34d0df32851e7609d16a34a0be60a626b7f

SHA512
c906f83e3b293d59c2ef0c8f6bdf26e0fec9a134cb0ec6de76a49903c6c37b6c3c3d3061ea0d5e5629b9b052fa46e89066477ce99c048b58d2f3bf17d9bb10ca

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
81KB

MD5
595b05f60dca2cc8726937ba145de733

SHA1
ef3418ac8bfab8aa081b79b438aadca2c67b5024

SHA256
048df7dae90fc3bf4114fa7acf8cb089b42d354be45a4c8c4f88558f4366c599

SHA512
a6c1d2fe12c4d1c89fdaed081b3b7fcd0ca53b7a65e9d3a2e27b37954fe83fab428b700e1383eadbb285cc70f22a078e7adaf06b81bc9aac3312512c5490e076

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
81KB

MD5
7f26bf17f017560213c8b6eb3a0ae6aa

SHA1
99eb4c427463e6da747fe8dd178c896e65aaa4d2

SHA256
a3919f4de6850caa7ff29814966fedc4fd198fbe62bf78e520e249650d6756e3

SHA512
71c0e9a659a8981d4a566538323a4cff54dd9be546ffb1945371f609162d42601bd08c4f9eab6b955425caff378502968ac609f7edae304f2e3f2e1619763dad

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
81KB

MD5
d36a23fc82860e85d996851837e1ba29

SHA1
4fb1e24fc3c0c1890d803ba454a1248206387f86

SHA256
ddaecb91530bf995550d86f1201a8e73e3c1c2af14e047934feaff4f07e7ba98

SHA512
ec9131aa7f675d9e0ab3c6d59fe83b0ca694ece4942a71fd100e89dd89a8adacec2482b3a8d2c6886c5965a7bc5c0c996b864053d89d1055153955019c39ef2a

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
81KB

MD5
1e57f3aca632c14f4048768fc637298b

SHA1
3a015953e6283dca0f53fe36eb13c1d7119be6c8

SHA256
9c0a0e25c279a857631a873ab49064859c6676e9dc86b8e9e7fec04c7d854bca

SHA512
26a674217c1ab607e73e5a149f763b1732207e2dd32c6d140eaf6fef5b3784a061ecbbbf1610af32072723b602c56690834c0fa4bcfcf0a82bd0890a40b9fb62

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
81KB

MD5
98f406759623153e2e07cbd8bce30726

SHA1
c7ff97fab9bf3ec6682090491fada3b66d96b693

SHA256
59c239f3a97f53afb5d17b60f39e920abecf492e5e572d168b94508ab215e522

SHA512
4ee7db0540f44437eb56ed3e4c0db846f7d20fb6b409d363dad410700176d590b064f7845530dcc44fc0431f2d49e62691c34381666923405772d6752781c36f

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
81KB

MD5
c8455eaa88eeadccc2a25c2290a50ea8

SHA1
5c413a41c2bfb3c3496f5ddac381cf6b32226eaf

SHA256
a0a1c1673cd05de1619c1faabca7b7de3d27f989ca98261d0891c3e052053e64

SHA512
dada11f980d577133582039de5cdf5e98c8cd493de3a0962479c29f29adea583d57cea9fc57113ffd92527f3df89065e4df1c7403a27fa719af745c8736a3186

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
81KB

MD5
a13e24c31c5f367cb31d29d7cfaed929

SHA1
d6df14530d8f16d5e15502dc8edf33b9c8dc9509

SHA256
6d83c17b4b1d63cc8b423b712e0fc90bf7520a68bf22b66bc75933ebefed2ad3

SHA512
6ebd9bb949383d4405b296f942239df66640b7051d53a5e9db28ce9f5230fd9d40526c8825b141012a8ed4bb719ef08e409985f3795fa44f47af3ebae52707a6

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
81KB

MD5
7c81c1e888e570f709c08e31ea9b5c3c

SHA1
2f94d1fa3a22a0b30651658a512c00a05fec33cc

SHA256
899cad094ff5fde61751db8a3f4863276f9107698e2c0454346cc0136400befe

SHA512
22dca7eb743a144ae6bb7d2fdbbf55be69b5a0cf9be1affa17c65dec958cfa54f8cb6eda5c88ab94d2d0d556035d6ca3ee0339784f42726f4991fd2ebcc52a6a

Download Submit
memory/392-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-609-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-621-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4788-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-622-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads