berbew | bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe
Size

79KB
MD5

44042ebafe4a936f4ffa3a878f6d18ca
SHA1

f46fc6cb8a356ecf11d00442e0431f76b38598d6
SHA256

bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a
SHA512

4e0e6e1029a4125edb6b8072bfef416337f3093e1acc4162e6e240e60e2719b19a0f054da8c19d4e7cbda2c8f1a537a9c8d04aa4c04958fe7320f4a164ebdbd2
SSDEEP

1536:wh57Uj22k2WQXBksWNIGpJfTUEY4iFkSIgiItKq9v6DK:aQ9CsWxFTUEY4ixtBtKq9vV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3068	Odapnf32.exe
1348	Ofcmfodb.exe
4596	Olmeci32.exe
4032	Ocgmpccl.exe
4592	Ogbipa32.exe
2696	Pnlaml32.exe
64	Pdfjifjo.exe
3616	Pgefeajb.exe
3848	Pnonbk32.exe
808	Pqmjog32.exe
4580	Pggbkagp.exe
1608	Pnakhkol.exe
440	Pqpgdfnp.exe
464	Pgioqq32.exe
2748	Pncgmkmj.exe
2364	Pqbdjfln.exe
1304	Pgllfp32.exe
3988	Pnfdcjkg.exe
3240	Pcbmka32.exe
3156	Pjmehkqk.exe
3560	Qmkadgpo.exe
5048	Qdbiedpa.exe
1656	Qfcfml32.exe
4788	Ajckij32.exe
4820	Aqncedbp.exe
3528	Agglboim.exe
2684	Ajfhnjhq.exe
1928	Aqppkd32.exe
2864	Acnlgp32.exe
3476	Andqdh32.exe
3448	Aabmqd32.exe
3284	Acqimo32.exe
4040	Ajkaii32.exe
3496	Aadifclh.exe
2248	Accfbokl.exe
548	Bnhjohkb.exe
2376	Bcebhoii.exe
3200	Bnkgeg32.exe
3084	Bchomn32.exe
1004	Balpgb32.exe
3228	Beglgani.exe
2512	Bgehcmmm.exe
412	Banllbdn.exe
1436	Bjfaeh32.exe
4520	Cfmajipb.exe
2504	Cabfga32.exe
3188	Cmiflbel.exe
4376	Cdcoim32.exe
3488	Cfbkeh32.exe
4192	Cagobalc.exe
1696	Cdfkolkf.exe
2200	Chagok32.exe
1548	Cnkplejl.exe
4880	Cdhhdlid.exe
396	Cjbpaf32.exe
4228	Calhnpgn.exe
1996	Dhfajjoj.exe
3884	Dfiafg32.exe
4052	Dopigd32.exe
2276	Dejacond.exe
2124	Dfknkg32.exe
1112	Dmefhako.exe
404	Ddonekbl.exe
2524	Dodbbdbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4012	3772	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3068	2144	bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe	83
PID 2144 wrote to memory of 3068	2144	bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe	83
PID 2144 wrote to memory of 3068	2144	bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe	83
PID 3068 wrote to memory of 1348	3068	Odapnf32.exe	84
PID 3068 wrote to memory of 1348	3068	Odapnf32.exe	84
PID 3068 wrote to memory of 1348	3068	Odapnf32.exe	84
PID 1348 wrote to memory of 4596	1348	Ofcmfodb.exe	85
PID 1348 wrote to memory of 4596	1348	Ofcmfodb.exe	85
PID 1348 wrote to memory of 4596	1348	Ofcmfodb.exe	85
PID 4596 wrote to memory of 4032	4596	Olmeci32.exe	86
PID 4596 wrote to memory of 4032	4596	Olmeci32.exe	86
PID 4596 wrote to memory of 4032	4596	Olmeci32.exe	86
PID 4032 wrote to memory of 4592	4032	Ocgmpccl.exe	87
PID 4032 wrote to memory of 4592	4032	Ocgmpccl.exe	87
PID 4032 wrote to memory of 4592	4032	Ocgmpccl.exe	87
PID 4592 wrote to memory of 2696	4592	Ogbipa32.exe	88
PID 4592 wrote to memory of 2696	4592	Ogbipa32.exe	88
PID 4592 wrote to memory of 2696	4592	Ogbipa32.exe	88
PID 2696 wrote to memory of 64	2696	Pnlaml32.exe	89
PID 2696 wrote to memory of 64	2696	Pnlaml32.exe	89
PID 2696 wrote to memory of 64	2696	Pnlaml32.exe	89
PID 64 wrote to memory of 3616	64	Pdfjifjo.exe	90
PID 64 wrote to memory of 3616	64	Pdfjifjo.exe	90
PID 64 wrote to memory of 3616	64	Pdfjifjo.exe	90
PID 3616 wrote to memory of 3848	3616	Pgefeajb.exe	91
PID 3616 wrote to memory of 3848	3616	Pgefeajb.exe	91
PID 3616 wrote to memory of 3848	3616	Pgefeajb.exe	91
PID 3848 wrote to memory of 808	3848	Pnonbk32.exe	92
PID 3848 wrote to memory of 808	3848	Pnonbk32.exe	92
PID 3848 wrote to memory of 808	3848	Pnonbk32.exe	92
PID 808 wrote to memory of 4580	808	Pqmjog32.exe	93
PID 808 wrote to memory of 4580	808	Pqmjog32.exe	93
PID 808 wrote to memory of 4580	808	Pqmjog32.exe	93
PID 4580 wrote to memory of 1608	4580	Pggbkagp.exe	94
PID 4580 wrote to memory of 1608	4580	Pggbkagp.exe	94
PID 4580 wrote to memory of 1608	4580	Pggbkagp.exe	94
PID 1608 wrote to memory of 440	1608	Pnakhkol.exe	95
PID 1608 wrote to memory of 440	1608	Pnakhkol.exe	95
PID 1608 wrote to memory of 440	1608	Pnakhkol.exe	95
PID 440 wrote to memory of 464	440	Pqpgdfnp.exe	96
PID 440 wrote to memory of 464	440	Pqpgdfnp.exe	96
PID 440 wrote to memory of 464	440	Pqpgdfnp.exe	96
PID 464 wrote to memory of 2748	464	Pgioqq32.exe	97
PID 464 wrote to memory of 2748	464	Pgioqq32.exe	97
PID 464 wrote to memory of 2748	464	Pgioqq32.exe	97
PID 2748 wrote to memory of 2364	2748	Pncgmkmj.exe	98
PID 2748 wrote to memory of 2364	2748	Pncgmkmj.exe	98
PID 2748 wrote to memory of 2364	2748	Pncgmkmj.exe	98
PID 2364 wrote to memory of 1304	2364	Pqbdjfln.exe	99
PID 2364 wrote to memory of 1304	2364	Pqbdjfln.exe	99
PID 2364 wrote to memory of 1304	2364	Pqbdjfln.exe	99
PID 1304 wrote to memory of 3988	1304	Pgllfp32.exe	100
PID 1304 wrote to memory of 3988	1304	Pgllfp32.exe	100
PID 1304 wrote to memory of 3988	1304	Pgllfp32.exe	100
PID 3988 wrote to memory of 3240	3988	Pnfdcjkg.exe	101
PID 3988 wrote to memory of 3240	3988	Pnfdcjkg.exe	101
PID 3988 wrote to memory of 3240	3988	Pnfdcjkg.exe	101
PID 3240 wrote to memory of 3156	3240	Pcbmka32.exe	102
PID 3240 wrote to memory of 3156	3240	Pcbmka32.exe	102
PID 3240 wrote to memory of 3156	3240	Pcbmka32.exe	102
PID 3156 wrote to memory of 3560	3156	Pjmehkqk.exe	103
PID 3156 wrote to memory of 3560	3156	Pjmehkqk.exe	103
PID 3156 wrote to memory of 3560	3156	Pjmehkqk.exe	103
PID 3560 wrote to memory of 5048	3560	Qmkadgpo.exe	104

C:\Users\Admin\AppData\Local\Temp\bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe
"C:\Users\Admin\AppData\Local\Temp\bb94f0da17e1991a5dbf43548532341a3208ef5335272649b92bd574b6752d8a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\Odapnf32.exe
  C:\Windows\system32\Odapnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\Ofcmfodb.exe
    C:\Windows\system32\Ofcmfodb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\Olmeci32.exe
      C:\Windows\system32\Olmeci32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        71⤵
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 212
        73⤵
        Program crash
        
        PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3772 -ip 3772
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
79KB

MD5
f925b75fcc1c4d85ba3ba43f1587e86b

SHA1
1055de7a453024cdb2efb338af0bac77912c5c7e

SHA256
f3822e905e416b186d4110e8c95d867f10ee1b7b08cc272da36bbe07f4ee41c6

SHA512
ae22ab986d1d1451b2486e8ad4dcea2511180898252beb2e09be619816a0d290fadb709500a5b83b4266e1d4fcaa76dff8ef411bbaff31e47293d795a663f503

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
79KB

MD5
aa04def0bdb5bbf9358cf72448fe81bb

SHA1
fc5165f7dafaa831573c3018ccfadc134e26cd2a

SHA256
34d68a154f635cd74f1f727fa9be4e47ba9292004ab11901d86c84bcf040d5ef

SHA512
6fbaa4c23a80e16de74e2549b81d3624fa087cbba1d34d5455fe6a3ebc110ec888aaaedd37e17a7dff8c47ca77a4140320eb941e55ed7c3b01847867c6e7b03a

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
79KB

MD5
12fab193b0931e689c1b5cee8c5c9a5b

SHA1
9e43d82b1a879fdb8db290807518fe09c0c6498c

SHA256
bcf055b3b928aa8f79dbcaba86559e45e3231fe5f8af79539256080855fc1a86

SHA512
a34398592b08a9fbe724e98701a568ab2a34f29fb82bad31633432b46de0534d65f5793bf10a05a17d6daf9c277ae6d87bc260b0881088b9aa2a64e203ae7bdc

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
79KB

MD5
cfe40824b61f850dba3b86ac890d48e8

SHA1
447ebc9cfb1c0f4365d08c8402e5b5352939ae48

SHA256
84543d2b038ec3aea5c166197a825aa598d0773eee12b1d24b585ab8ff6b4316

SHA512
76452da36198b03a04924c291f7728be09b6b973fb721aaf4c11d84e8fc4bf161a6a2d2aeccd5d7bd2d585415dd8dce704244db90363e4a252ea5a7c94893133

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
79KB

MD5
b1365a79921b41ef5f90f307fea6bc81

SHA1
915f126c1c0b03b3139495c21776b46d5e19a2d5

SHA256
57a6ee4eded5b5818efee8af35d7a9ec932cf43a4757cd0cb3f1dad44c4b3653

SHA512
5837f65a14d83c5d0c101c179683a8ab66d910b8ab52a8818e5d0c4f400a4026548bf44b09f80f24848c3d1aaca340ee1fb818a8614b993203b031c2e7e13fc1

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
79KB

MD5
782c4f6a83c74c00d6bd159644fa6e3b

SHA1
952c741e06d8f6830c01e6d278fdc85d24b8cb37

SHA256
c0bf3d66f29a82d88990505c8195a329727d7f70003d0c8090439676db78ac24

SHA512
3647ac7821b08e92fa9a907c65f648a8c81626a2a52d1da6f6638c10d3b2919213e1f96ddf4b6b2f191cf3ef1738b7e343b6089d0f5ba2e10629ac886847cd1f

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
79KB

MD5
6087513cfea8175216d3a8b1f4662366

SHA1
e5f688b369c477745064b4803a2da0fedcc8b356

SHA256
567e4cc3f75e753a7c78a457cf09015f669290529d26d0d6c5372fc70d5697f4

SHA512
f7008d83f7db91d7ccd00ff85034508895221774d1b3e9b41479edd40efbc8e5984bc0a634fe17bbb86fc4c02e5f64c2e614b8324888fa683ffa31a062892c0a

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
79KB

MD5
7a0a4b2ecbe9090c69f84c1bf79e7a52

SHA1
6b0c7f12eb7d599a67c84e40f564aa63c0de343d

SHA256
6860c4fabc60d90fcae4e4ee2c16bae311abf7a422e70a8563f169ed72a6f3b1

SHA512
ca3f650a16a1c6d6fe79c38cdd4518ce6e49e84635b002da8d33371f7e5131aff926251387790f9b218043d01f0713321eb567a3b7d9f1631dab57391b42031e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
79KB

MD5
c9c01a71e2a6eb184fa0003364eb419b

SHA1
a8412067318b70653c2bafd25b3e316fc8074632

SHA256
abef158e51a531f3c6a0584578fb0db7021198403b644c57307908acf432ff55

SHA512
170f1ad9e3b82da9b038af4eaa22405ee672b3b16e0874ba282b2a0cfb4c66cf5d1165c690ddf3aca220c6ffefed705b23169a9bcaa00c75aef42b08a6e94e69

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
79KB

MD5
fff51edcc8b8aed5cf47ecbcd879cab9

SHA1
c47379d78da8a3230cfdc3ad4ca92b5249af7496

SHA256
e45c4f35427028fce576b6eb831613fde8a81c48ade71ea2b174a0dd23f9fc48

SHA512
8a37bf8da42825ef9885bb3d88e82404575d58ef0e95d2adcce20900b1e375d4123a6a4039ad04833803a8c79d70f5c3d3dc7e13b67ecb046a3d0414ea249e54

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
79KB

MD5
aa1715d78c52f488d1266f8aa739c8e4

SHA1
7d9b7ef0d4119b55200be3b62647e9659dde1c3d

SHA256
b1f6325a9ccb3ab4b7e51f12e8e7c7555164bbbad1f4f7dc5a4e648c5141a8b6

SHA512
20130d8c66d01347313cac65423ce542f336dac94889fa7455577c682cb173debc3aa14dcb1cac30ea15358e1282fce0a7de743a5d8b294f04e231b4188fcdd4

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
79KB

MD5
761152a830e9fdc6b78a1500ba48ac13

SHA1
b54f675c8dd0bde8643294d0fb3e5ba3950e469c

SHA256
c4912e9d0a34642892b599baaadb426e0a815a78ccca7566a522767a91ceb0ac

SHA512
6d4174c30833c329e13d0c5e4ae38cb46ac818cbab231c5116222f7dad83bc8b3d4253a853335c632f273680043940f49a25e43beb1c715eac48b5a3df90fd1a

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
79KB

MD5
3a4e71d4331fd6ed8d1c745c4ee9f23f

SHA1
ff4900ce1c8b12b5ae8d9e09ec07e1d39c8a9baf

SHA256
ac0183e2ea739a0a17ccc33cea6fb74bea9ac3e526eaa282cb54300213f38952

SHA512
7c809802519d51295b252ff90e477b4226493b7abc00b3aa6d50d9b5e9f29e719c7dc40354aa1ce37de26908f5acf546a536087b9100df2e307775a1bfb035af

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
79KB

MD5
684f0dd7ecedc912b5603cf20793ee06

SHA1
d15127e873d221493233b8a94992eeb5cec0b55a

SHA256
d4602acde3ed755a78b46113d1617aff80eb98140f56f14f1e2fbe630cf5b45a

SHA512
5799cabeded229342bc86f72e2967f8b01df2f08a675d20f752d817f96c6b53b1ea1d8db63eb9a22160d6052eb78e12f68d3050430747a913306aaf62eac8f76

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
79KB

MD5
a6d97637023278b5e36de35d66b5dd28

SHA1
f9918fcbad168ca922b8cdbe20e0d85b8422abfe

SHA256
c4865fa29b403ff598e8064626c134daa9fcf3e67e6e229a6078813c1545cfcb

SHA512
17fcba94d01dd1118b8b433a1d4eea43e43f8326b053e6e250ef77c278b9e0e70dc9cd11d326323f139aad4ac228fb43e6662f940c4383895b185036c0e6b6e7

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
79KB

MD5
5fd8ff432001be0618f47c35197a074b

SHA1
30942b8d996f1ccf7fd6df787738640b267b87c7

SHA256
9b9b40d33a8269d9103dc18a13a8af54523be2390f019f0702a4952d532a48ee

SHA512
6141c6c4fb96180a1a276d231289e26870295e6193f8127fc5eb69e51a3a78ac895e1f8b3b9c70ce1bb7fb6a784da09cbffb65944d86ede552e80d07f3ef5b3d

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
79KB

MD5
a8807658fb5e02cbbdbae4c555e5d025

SHA1
90c70a4306eb8d4f6c1b4167f15601419d18eb09

SHA256
056d55d39533ac58ccc9c4c899412f821c96b71b860bcdda72bd1fcf124df99c

SHA512
3d998feac36939ee586070a8d5bcb516a32c933cdde99fa9ceba36b3d6dca96c2df0c577dee3303f756fb27d4fb386cdd20624633ce79f0ce28b5e3448cebef6

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
79KB

MD5
597a67ecdfd218b643f04eb943912fce

SHA1
923a8cd3bd8112c2be90912da32b8918bc27061c

SHA256
46efa54c683d514de7bb823d0b4c47c9ad4032663105f0a01b1b95a000676147

SHA512
b9ae93d36720c846e273f02dc7def6dfbc3a503a5b48d8b1ddd5946375a4f3aed8d9b858201ca50cea641135932d596158e77e66efd31b9eb238301e208e139e

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
79KB

MD5
cf7badd1d4b1124fb6cd592280032178

SHA1
4d4a2ca9815d99966f81dd225cbeb26375c660d8

SHA256
4ede72bd99acd6079a2bd7b50258d46e2f494a9368967d0a8c77eb1ad906c232

SHA512
4d8776ab1a3e2011270d3030c5a607acfeaf3c46f7e4a1c840b44207523d485e522b6098ba9343b76815d193781832beeb46b47948b30b229e9074da1fab7074

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
79KB

MD5
02de644839dc2ab18f95d90a970af1d9

SHA1
df6ba2fce866f8eea75fe6fa2a62f5653ee867c9

SHA256
18a97d15f5228720e53794438f487148e9450ff73ac0501449a8797d9fdf46c1

SHA512
ea412ebb6f88f334574b185a07daa7bacc426570a3be1d29a4482cf86e23c02c7a25e8a68d0f943e90eb4e4c3b486862cc586e267e207ea09ab0e72aa9d10881

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
79KB

MD5
86ae1d014f1db8f7c0f18e2547995be8

SHA1
c68049f85f758f68c85c1304f2e5e735a2c4581d

SHA256
1d937db4f6b8d16e32bc24aaf3273effe99237d13e24b8b408568381f4b85e8b

SHA512
5234c5d087f1f994c5322b436a06ae1a8283906b436bc4663b95a59e1cfff9649ed8f256d45da9d55c3b49172ecf70021c14cb572843f36ce580a3354a9b6e56

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
79KB

MD5
0cba557ebf1238c70d6a43129720df71

SHA1
d644feb5e736a4734475d6179c63be706bdab424

SHA256
7a1812ae0812ff8aa97b0f01f3a1a60c11916a917c2733354c048df1de27aac9

SHA512
c503f5c5c68d4ee50b4208c6548e0fd732558c39a94e31c74f7f4eb65deab143fd4cb2334b4f5e4c4cab753f6cc007636eed71e9a33d0ce339dde44f157b47b7

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
79KB

MD5
6fe28a1342ba6211ff435f0eb872c334

SHA1
46c90384e2b9f3599d52308af70935668ab80337

SHA256
3715962b7cead2fec4bfff5264e69c3a1badc4e9fbb0e9feb1b2112bcf552670

SHA512
0301f8b590a8dbdbd69896cf4a5b4199f08a6767d7838b3eb0d22fabe1b5fddf7c915883b29ec1659e52255c2031a7d6d7e6c3243e3196907b5f55f6cd0a3025

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
79KB

MD5
024bfe89e86c8d5807280df76d620661

SHA1
5221d577f1bb77e0aab761bc2eb95a77e36fe5aa

SHA256
25ae6033b0b4eb6ad876dd16a84db2f5b9c83f7aa27702baf6c4937be3822854

SHA512
0bb61a60810978bee5c22d41a0338e3674d302f7f0273f4fdfee3850d2a8813c04ab791df3ea5ef05e154d9707fc9356d57e61c02a093ff1f126691d49f96e63

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
79KB

MD5
9b8a67d66fe57c13f3f2e10f50e7df5e

SHA1
dd092df4906861ebfd2a56c3e6c6908b8544dd58

SHA256
b4fa76659bf50e3e177f93dfc8d167cd544c3c2e93c7b493e3f29b66ba5a9d4b

SHA512
fde71fd08e2b8567f9322a859262223fecdc6021cb418c8ac658acff72eb553a1ed584605a22ce97987985c0f398136a1c4ca36211e29ef752a1a246214f60a5

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
79KB

MD5
ff089c8e46a0c89866b516d8bf1f0328

SHA1
863b8cd8360c38ed9d01bd0559391ac39cb02011

SHA256
3102dc0731bb472acaea294b805760c61b61873251c88e077f138afde030edb1

SHA512
ca450386696212fe001ab80212f8aade5c7e7db1ca1eac086a76d9518c1ebba80b9dc486b1c8399af59ced150c670b3e1e770892afaca443e842c01577b53d9e

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
79KB

MD5
9b3433e8f50b55754cb15019a8fcab30

SHA1
ba5098968c17e1ba64fc1c5397fa8adb5c7708fe

SHA256
99d64dd39f9a3bad05b5ee2db352ef41810cccc7287c116dcf675a3b1f9d0d64

SHA512
076671f137d769bd9eb94238c6c9842f311389d6acfa8902b1ecdb68155d1c28bbcbc77f9f18285f7ae24d1752052bbbec5fe7f47c511f979bc181d8aa74fc91

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
79KB

MD5
43e6c5bd8fe1ba4c989febbfb934c869

SHA1
18e73c0342d622d9ad62aa0ca7f96e10affa3992

SHA256
5260de35e0227eedcacb9b9f3fe5790e88a3e0730badef7cff43180933b3dc94

SHA512
6050c51eb56a4b59c97b74dec56a68a9e5359ea190dadc3144324e7fbe0482b1662e6b9011f4eb0c44bec88821b5075395be523207d85eca0b4dde3f3ef5102f

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
79KB

MD5
b106c127b9b1bcb409d797b91cd85e6a

SHA1
51198cae3fc492520a29abb63b00c2136966c65f

SHA256
f9cd2396d5abd602683cacd80be815a957b5e7bc5de24e8709da5d120d2d2076

SHA512
99b3af70e3eb260bae850e9e8fd398936ddd1f2e83055cd4f22b01bc63e06f8f30451a6a479c5bdc735075e911039b713998dfa3d103d49336df0f5251512b89

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
79KB

MD5
85adfd16dbae554ee14ba93927d47304

SHA1
b65184cfb72dea05f81f4374d1bff453b026d756

SHA256
9e505075d4d25ad3fed18b6e5f6fd9676445918d0572218fdd9d289714868f99

SHA512
51a8f84e3ad6e83758a5f7dc81d20c5cb343795f9a28b512d0fd39826786df2f73cee8807056ff1300b69dc1fe825a1ff93996f24f233da5645d1a1a34d729ce

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
79KB

MD5
b73331b1a893a36773702ffb4b280264

SHA1
43548c611abf071366f04903b85a1766f70fde8e

SHA256
8452e3808ab56393001173695f07fec039f0ae3b835025e97ffc90b64c8b5a1b

SHA512
0cd48dcf7d78d4936ac417fc50b3a5f50d8911537be2540c270e426ee09df2e130f8b9bed7fd015af6b7964ef3f056dbe3337d5a58b83af334581598fd659c15

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
79KB

MD5
45be8b3ae6a6b323d52355637abb971f

SHA1
c70129cc4cafc6b54ec291064f69acaa9c5775be

SHA256
7e029106e550330c5903bf019dbe4e94f062d1b7e98bb0a039da49beed1a3e61

SHA512
a5e170c29619ad0003b469e8e4480b0b295143d5972d0fb3f7217d5e0c3d277cef99d0165a08099150598135e9045dd708f5d8c690afdead9d8192d5bf909e6c

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
79KB

MD5
792a2be93b0d2e976004260fb688dd52

SHA1
18cc657cf6905afa62483e506d94b75bf2006bc4

SHA256
6ca891c619fa73f86629fef0eb30efedee3d11541f6cf8f865062ebaa165afae

SHA512
2559e1d7f7a5832a0cb4b9794733c1a54f5e896169728d1bc41333fe1f142ae8c851cc302e7a9735f342a5abfcfddda48dbecce5071ea6648fc13824727dc174

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
79KB

MD5
f9e51843c6e84ed8d4b0023e32079e24

SHA1
be077d63320b6be3dce5906c855f2bd429291690

SHA256
86f262d565c4b74c9c509c9141cd0481a11a49ebbf80bf3c6d6674fec8facabf

SHA512
497f2ea730068069d7324d34878d6c35f0cdd64e2ba74ac304a68e7b8d6942ad75119b8a4c8c977160d7d9ad219fd78709abe17b17ed9f612da8fe270c524fa6

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
79KB

MD5
06fa0d9dad6d5381a30163fb755e3eee

SHA1
d82cd326cfc3c4a55db97d164ca48611c00023b8

SHA256
44110296640267ae371db76431a87a4133afc3bf1c73b9fae316f3f1f882e9fe

SHA512
b480f499b8e6e85a76edd80a7554e87aff6053c1d1f6fe8bdacd62371b2e36cccccaedac3e84bd0cf6f0a2b542e0fa64c8be7e1bb03763b4ae52e4eb5e8444bb

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
79KB

MD5
309d8091236c969bd44094eecd2b9537

SHA1
d7fcfc9488204dd0552d8b88a8ed9db3da6fe31c

SHA256
38bc0c970c492d67122aabd540feebffaf29e4a9d31606d2d0cb009f26084259

SHA512
65961d43a534146d771cfeb0be25c7e53831467afdddeaca20019a10c3041af6b094cf8885b57635ebcdd9442aab155b2224bc66d2955ba9ddd4e914b0291fbb

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
79KB

MD5
de53e996922b807b940c300736fab3f7

SHA1
40173069d37f75c4a4554ddd99f481ebfb95f7b5

SHA256
868e994f44c5a55ae6f098ad73290c526d606be6ff4cd9ac675bed5c41750cd0

SHA512
889abf79fb91ea5ceb4cfe58bea1eeaa58955e3f84fa4aafb161c1c8ce73a888ff9d5d3422395675bea0180ae3c60e6794f0aebe105fb1378bc3f42d30ea43d7

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
79KB

MD5
6f28485437b53cca1659f20d53867a61

SHA1
7761b50ee4ef117b212fa41b58a7c25e0ed921d8

SHA256
b86b6232481b0a3311095c9e95f68cdf26125a349e0fbd28c7647ef16d308422

SHA512
75a6dad8b1f58da2460f49f08c78e58b774d47e0dc1b131016ba7a5e7668f0c3021fa9f8965502c6172e81aa7c8f1712b3e309dafa02dbbf4d72cfeda7ddc1a2

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
79KB

MD5
870e1e7de4ae6d1f9725f8b6fb3ff70f

SHA1
239574e3e7227cd5e043f6069e8c608e96ce2806

SHA256
3e7e1c27571e8be0eb80cd33c0e9964fd3d6653ef139d404af99c6e4607b2469

SHA512
63b1371ba62fcd48f9dc911a8c558c3fa2267fa51f8d35785b04606220c2ff4777e605bf069f4670c8ce20bf34563108c453cdbfc02eb48317a0e66f7665e92a

Download Submit
memory/64-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1348-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-506-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2144-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2376-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads