berbew | f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441a

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
Size

96KB
MD5

630721eba84daf9e0ace053e22a94630
SHA1

c1ad1582d4a383e52014b5e8b53571c07937eb4f
SHA256

f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441a
SHA512

54797bf0841568bd81e7387cc2089a199e16361adc83a3abd11fee5045f3481b4554876c057b6136c853c40496bbe6f9a055ba227e4baedd36a3a95b012c2a99
SSDEEP

1536:bIjJYNoSA95wE1zEFIqE1/iL2L4ZS/FCb4noaJSNzJOF:sjJYNoSSwEaFw/X4ZSs4noakXOF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2828	Odkjng32.exe
3148	Ojgbfocc.exe
2104	Ocpgod32.exe
2060	Ogkcpbam.exe
4940	Ojjolnaq.exe
2756	Oneklm32.exe
5116	Ofqpqo32.exe
1452	Olkhmi32.exe
4276	Odapnf32.exe
1064	Ogpmjb32.exe
2648	Onjegled.exe
2276	Ocgmpccl.exe
5100	Ojaelm32.exe
1512	Pqknig32.exe
1396	Pcijeb32.exe
3124	Pfhfan32.exe
5104	Pjcbbmif.exe
1944	Pmannhhj.exe
428	Pfjcgn32.exe
4208	Pmdkch32.exe
5020	Pcncpbmd.exe
4124	Pjhlml32.exe
4600	Pdmpje32.exe
2240	Pfolbmje.exe
3576	Pmidog32.exe
3152	Pdpmpdbd.exe
1444	Pgnilpah.exe
4508	Pjmehkqk.exe
4504	Qmkadgpo.exe
4948	Qdbiedpa.exe
3784	Qjoankoi.exe
1960	Qnjnnj32.exe
4328	Qqijje32.exe
2080	Qffbbldm.exe
1836	Adgbpc32.exe
4892	Ageolo32.exe
3320	Anogiicl.exe
4764	Agglboim.exe
3964	Afjlnk32.exe
1988	Amddjegd.exe
1252	Afmhck32.exe
3980	Ajhddjfn.exe
32	Amgapeea.exe
3604	Afoeiklb.exe
752	Accfbokl.exe
1920	Bfabnjjp.exe
2424	Bebblb32.exe
1508	Bfdodjhm.exe
456	Bmngqdpj.exe
4024	Bnmcjg32.exe
3908	Balpgb32.exe
4200	Bfhhoi32.exe
4088	Bmbplc32.exe
5024	Bclhhnca.exe
1052	Bjfaeh32.exe
2364	Bcoenmao.exe
3500	Cndikf32.exe
544	Chmndlge.exe
3188	Cmiflbel.exe
3116	Cdcoim32.exe
3192	Cnicfe32.exe
1312	Cdfkolkf.exe
1224	Cjpckf32.exe
2356	Cmnpgb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4984	4332	WerFault.exe	160

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2828	4768	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe	83
PID 4768 wrote to memory of 2828	4768	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe	83
PID 4768 wrote to memory of 2828	4768	f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe	83
PID 2828 wrote to memory of 3148	2828	Odkjng32.exe	84
PID 2828 wrote to memory of 3148	2828	Odkjng32.exe	84
PID 2828 wrote to memory of 3148	2828	Odkjng32.exe	84
PID 3148 wrote to memory of 2104	3148	Ojgbfocc.exe	85
PID 3148 wrote to memory of 2104	3148	Ojgbfocc.exe	85
PID 3148 wrote to memory of 2104	3148	Ojgbfocc.exe	85
PID 2104 wrote to memory of 2060	2104	Ocpgod32.exe	86
PID 2104 wrote to memory of 2060	2104	Ocpgod32.exe	86
PID 2104 wrote to memory of 2060	2104	Ocpgod32.exe	86
PID 2060 wrote to memory of 4940	2060	Ogkcpbam.exe	87
PID 2060 wrote to memory of 4940	2060	Ogkcpbam.exe	87
PID 2060 wrote to memory of 4940	2060	Ogkcpbam.exe	87
PID 4940 wrote to memory of 2756	4940	Ojjolnaq.exe	88
PID 4940 wrote to memory of 2756	4940	Ojjolnaq.exe	88
PID 4940 wrote to memory of 2756	4940	Ojjolnaq.exe	88
PID 2756 wrote to memory of 5116	2756	Oneklm32.exe	89
PID 2756 wrote to memory of 5116	2756	Oneklm32.exe	89
PID 2756 wrote to memory of 5116	2756	Oneklm32.exe	89
PID 5116 wrote to memory of 1452	5116	Ofqpqo32.exe	90
PID 5116 wrote to memory of 1452	5116	Ofqpqo32.exe	90
PID 5116 wrote to memory of 1452	5116	Ofqpqo32.exe	90
PID 1452 wrote to memory of 4276	1452	Olkhmi32.exe	91
PID 1452 wrote to memory of 4276	1452	Olkhmi32.exe	91
PID 1452 wrote to memory of 4276	1452	Olkhmi32.exe	91
PID 4276 wrote to memory of 1064	4276	Odapnf32.exe	92
PID 4276 wrote to memory of 1064	4276	Odapnf32.exe	92
PID 4276 wrote to memory of 1064	4276	Odapnf32.exe	92
PID 1064 wrote to memory of 2648	1064	Ogpmjb32.exe	93
PID 1064 wrote to memory of 2648	1064	Ogpmjb32.exe	93
PID 1064 wrote to memory of 2648	1064	Ogpmjb32.exe	93
PID 2648 wrote to memory of 2276	2648	Onjegled.exe	94
PID 2648 wrote to memory of 2276	2648	Onjegled.exe	94
PID 2648 wrote to memory of 2276	2648	Onjegled.exe	94
PID 2276 wrote to memory of 5100	2276	Ocgmpccl.exe	95
PID 2276 wrote to memory of 5100	2276	Ocgmpccl.exe	95
PID 2276 wrote to memory of 5100	2276	Ocgmpccl.exe	95
PID 5100 wrote to memory of 1512	5100	Ojaelm32.exe	96
PID 5100 wrote to memory of 1512	5100	Ojaelm32.exe	96
PID 5100 wrote to memory of 1512	5100	Ojaelm32.exe	96
PID 1512 wrote to memory of 1396	1512	Pqknig32.exe	97
PID 1512 wrote to memory of 1396	1512	Pqknig32.exe	97
PID 1512 wrote to memory of 1396	1512	Pqknig32.exe	97
PID 1396 wrote to memory of 3124	1396	Pcijeb32.exe	98
PID 1396 wrote to memory of 3124	1396	Pcijeb32.exe	98
PID 1396 wrote to memory of 3124	1396	Pcijeb32.exe	98
PID 3124 wrote to memory of 5104	3124	Pfhfan32.exe	99
PID 3124 wrote to memory of 5104	3124	Pfhfan32.exe	99
PID 3124 wrote to memory of 5104	3124	Pfhfan32.exe	99
PID 5104 wrote to memory of 1944	5104	Pjcbbmif.exe	100
PID 5104 wrote to memory of 1944	5104	Pjcbbmif.exe	100
PID 5104 wrote to memory of 1944	5104	Pjcbbmif.exe	100
PID 1944 wrote to memory of 428	1944	Pmannhhj.exe	101
PID 1944 wrote to memory of 428	1944	Pmannhhj.exe	101
PID 1944 wrote to memory of 428	1944	Pmannhhj.exe	101
PID 428 wrote to memory of 4208	428	Pfjcgn32.exe	102
PID 428 wrote to memory of 4208	428	Pfjcgn32.exe	102
PID 428 wrote to memory of 4208	428	Pfjcgn32.exe	102
PID 4208 wrote to memory of 5020	4208	Pmdkch32.exe	103
PID 4208 wrote to memory of 5020	4208	Pmdkch32.exe	103
PID 4208 wrote to memory of 5020	4208	Pmdkch32.exe	103
PID 5020 wrote to memory of 4124	5020	Pcncpbmd.exe	104

C:\Users\Admin\AppData\Local\Temp\f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe
"C:\Users\Admin\AppData\Local\Temp\f558e94c97e5270815590eebc0e14bd6c4f91cebf66fb321f6f5c0095cd9441aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\Odkjng32.exe
  C:\Windows\system32\Odkjng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\Ojgbfocc.exe
    C:\Windows\system32\Ojgbfocc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\SysWOW64\Ocpgod32.exe
      C:\Windows\system32\Ocpgod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        36⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 212
        80⤵
        Program crash
        
        PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4332 -ip 4332
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
5fb150efd3be36f8dc79adb5a963fff5

SHA1
0e3a0659672c5da2cf89698ccdaade329757a636

SHA256
199616edc3f29ad6ba4ebe56e9b7f67a2c6a16e5f189378571a7a35819e49ef0

SHA512
0bd4ae2d3658733012e4f4d85f88d3e16bd8ead20871935c8505f924c0337eb480eddb2844d908797cb8a27ac675c2444d18797d3ca44c3249d047dba82e74ab

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
ac2b297d4aff6bb51d61041a4902bebb

SHA1
f224d12400acfe405cd4b0a0abf2a0d9e0fab443

SHA256
b97b0fb0e7664faa2a4731c08d2f2471d78dd04052015220d91b05d16f025d02

SHA512
227526bd585d0d9cb79c4af25e428d8893e93fe0da793ad6042115437b50f4ad1a5f5d4fb4cfe1235701f4a48d3a35636ff21fc5cbf15de5a163dbbc8382cdbc

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
c3ed7c898a2748d95ebc27a98a1e7e55

SHA1
3e840c15ea72d0544bc67b9025d2fa0f60a173f8

SHA256
30c9f875e74d1a73ce7c353b535c8aa53d466429dbc37e98991d006f28776cfc

SHA512
7a7e38310601e4f0f83b4608feae2e6d4a9dad6b976399486916b3647a46c231b243dd4bc7e822f324535c1e7bc69b70b99eb9d9e76939453dd36da7ee7e7525

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
0677600a3942f75cefcd3f600995ff0d

SHA1
23ada081f54f85c100f9e2ea2c309f2b09cb035e

SHA256
4f9c5ac16c1d5476d6c814f37d7f3fdbd2f0d9409cbed320cfe629a8240b39f3

SHA512
1b2d036a98941a3bfca0940f5b09b00024e7181e65ebff951a671e04cb37603021f5391018b1725eff70b952e319bb0ec212dd03968b5fcdb0a74be83672a703

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
7b511acda87b5cfd6d934135e50f2961

SHA1
ebaf9a44f80bcfcbca9e51dc4d56e6b5b0a7a0c3

SHA256
541802cbf5d5ba81315ad1d48729d3d30e715d4ede6160aceb8e5eeaa84b3211

SHA512
2ed1d44e5a5626bfc464ae2854220fabf74e33d41328023c5383b1b9aa3b8fed670a49fae034a30be29dc3f177b5811589fda90a09d706e7a3d05d90e904aed4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
486a743c82fa5c4a75ea8920300c4834

SHA1
66449994d2aa97e10e4daf8b803e9c7613f28f84

SHA256
7a8b3c3138a7de9810e614dcebc6a3bf6ca408d07f0a61dde0e7d1eee678b3c9

SHA512
6b03d9d3648e33d4167863599e9ca6a334802598e50040f679ea9fbf0d2d7ed5e9a71e899f9dee5db4b148b445b98fd615d728726dcf5a0fe44dbbe2f5079f75

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
db93edc4685ff0243db8c62463150288

SHA1
eebd35be2a5acff8077a5929772bf3576058970c

SHA256
7896b2bbe3c785b8a668f291b297c57cbdc37e6268cac1c89535c136dc7985d6

SHA512
79c018dd2a3b7d00919c5928499e143f06c824fa7e0dbaf213f5da84f6343cf60bfcbb5d5ca506c02e864104c38c033a9898fcb97889108d8abc20673a8e8cf3

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
08b05ad99a479b8bfb522da68d35682f

SHA1
a151f37d657d64053c123bb2789c6a111df42a82

SHA256
3f5b5df4fa41306e4c896a8e8a81dda4a370a771b69e16daf324217ce019f682

SHA512
92262182607ce98f9e36faa06a994e00e6275f88301bc961c54c2298c43791ca0170253c2e92002407eeff6d881a47bb0f9f4845f36cd7693b519d7f888192e8

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
6a06fd34dad68e35915dad813a0ed42a

SHA1
a4978c9f7696cfc80d819b324dad4754caf482fa

SHA256
58993542ea230ca029cc94537724949e471d4b52704b72ae2c5350033aa61616

SHA512
71079776d0288635bf4bc84b8494bd4765169e3e6b308457648a9424daaa99b9b1a11c1207744a52ce875090abe44c4f3508a38643ed676883137dfefaf1abd2

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
96KB

MD5
6aca402fcd40ec260d83f29d354f01e2

SHA1
fc71019f2d228bde2fb2c0b06bfee15d3401446e

SHA256
030ce7e76f7e9c1c1f84af449459880bcde4b81c5bd351859ff728c46f8bbf0a

SHA512
9a44bd64d206069537ea511dd9e09c53defea98d6371f65dd795203882c10a51a1508b9f80dfbac6e83197cc9f7dcfc0c0a2f161bac17e786cf4e89b269e78b4

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
69b3803436d786235afa6d7a9b8fa70e

SHA1
12c480e600c58a329ae7fc7f309ffc0129571d7e

SHA256
c863ea013fac71dedde10d04f5207b6c8aced762f8e451eb57c14c41079083d2

SHA512
97f8537af9593b2551a7950fac7f3628ce512d5b14c3541072cfa386e90b37288e75a4c7121385c6da69a20e980737b2727b4681c9140ee459a38334880e221b

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
75f054e451e6f5dff5b3b74b1d6e536f

SHA1
bfdb03a9022c3600ea1e77d9781563775f52b09e

SHA256
9e2d12c715b80711b8489e58f864ffc0a0ac5ede9467b66c10b6094ccb25959a

SHA512
509cc703de3a9d55676006ea640260fcb42a62783c4e98fe904a024b7124303df56ea3a3cc1d868f9d0f3d4c1a0cca72bec51953fbbce273b306d15c427fa77d

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
f1f4a97dadee1cd7b6a0425bd9ce2b0f

SHA1
fb4262efe4beab2996980362c0522876f26c1256

SHA256
b6caa5f1aa56469b8daa4e4f75050b7b7bfe2992b268709c2375f4a48d16baf1

SHA512
59c9d32f48bf7c4bce33de4e34780ac78a6877b4d9ff6618907d9e9e6e518323d132139ad1aa7ccde30abb6c871c6f97f7053be837736595e7b028fbb7f04032

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
96KB

MD5
898eb35ea80147ddcd988b9c4f0b0152

SHA1
80c02e922bf0faf283f8b68c113829f0234ab176

SHA256
853b78987df24b7cfd19940053aef93c833cd4c7f4f1e8eaaf4da4c4fdfc1fc9

SHA512
3c375d816b2e11abd40099f362130a034ab945cf6817a7c124f9e18bea81709c4017ff54d11a4c20e46186bcfc1e63aef6c9245dd6cee32852d4ea53383b11b4

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
96KB

MD5
b91037ff756856528b42d69cb04c1695

SHA1
989973141f3d63e57ceeb8b20e0336790f7c8eef

SHA256
43401fc009f5df64fcfc4132f6cd87c62030b4d1e840086cf45f47c9ca2635bd

SHA512
8a4e6e0dc8476d46e91700750dedfe8147bbabf70b7337eca68c2fc48e1de3c36bb954084b0d9e19566fa49b0f2940ba264538fdbd2ed2cd2cb7f83d30daaeff

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
96KB

MD5
755579f0b65ec65b2ef9b5314e3835f1

SHA1
12283265ee6f8c4d37de403412648f8b04fe187e

SHA256
a862e516e8ec0ffd2340598d97d6453ac5e21beed77b2ce2f166afbf978bfb4e

SHA512
5219309fe276ffa1a5791a464386e1d8e05bd86e58f73d91f23f61e050f9a3f600768ad65642470fa9127781982fc12bf3a378bee953026e83a4dbb3de785b1b

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
96KB

MD5
09d24634ba056da1769233d0d46f924b

SHA1
ab32075dd1cf2c750ef3d5f2d4049b3c02ccb1a3

SHA256
80d39d433b5bfb43f799441e4786c1bc0efe46043a48d50b98860e0e3bb4dac2

SHA512
3d715d85209e63e0c2fdf8d24baeb4fcfa4b11cf320e258b3ae9e53341d64415c8b4ad1ed3fd3f1e3a63946fb5ed9c0dfba2a1f87b4e4bb81532997e9837367a

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
2c419166e9afb521b1b97f73c52ffc7a

SHA1
6f5690b9eae887a08f4f311012b6ae075ca4b9b1

SHA256
101fb7e231d95b043482d726fd533f1dde06570bd0f00b32f6d40db44884a950

SHA512
d3a91a4d3c51deadd6938169dfc2b47ec5020588cebbf3b50ad68fdddb73b2cf3b936b31221d5be98ffd0620878ab770a1c1cacbd3e384ca3d2d8ca5abe9cc68

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
96KB

MD5
abbc7775e9388eb2eebabe9f7e176f20

SHA1
fdfc6de45fbc494b2ade3111a938a5fc4f9b84fd

SHA256
581342529764a1180ea6d2ed3444793556ed17306993ae2398d77bb876f1504b

SHA512
16f9e63281d984ef88a05d4cc1d45c2f0382594713c656fa1ae9a28d397553a91f5a6720786bb6f725488db3ad1397cdb72d261c38281b2299f6f1432f95278c

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
96KB

MD5
581a9e4c9a7cdf21c73c3299cc1012cc

SHA1
5901d0fb1ae77573a5e3590bee7b740748e6a992

SHA256
f9c6d97ec692a08969ba9b19bc65c029e5a4718709e3f8c936ed7c600f6f3240

SHA512
8d0689a0dbf2e0dd377ebd36413b65feb91725d7517271c70f8de399a538ed246dd048d02ad70ca3e49a6c40387dd3b7410bc6b9f073ecebf3063e1f21a99acf

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
4f55c56774959351ea3acd94b0fa54ec

SHA1
bfa64ac4f897ffbb5caa98eb337c6c9b31b237e9

SHA256
ba1708ecc7fcf908fd724aab7e6ce86d1f7eb0c0af7737c710de625acfca19bc

SHA512
d6419af882f3c0d6b5869dc5b7d61bef55d40d01ab64abe798713efa9d8aad1ff49b748dd746ef1db14248f04c5a38f4d3d8c4a236474045d48075dd8332f61d

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
606558791ec6988fc3c10eb3a17357cc

SHA1
355796557bd599759c4a156eb79c082138f62cec

SHA256
b90771aec0b9a5d9b55d8b54a105786807c7262a2ba9f6e5e492fcd3cad088f5

SHA512
adb0f3dea5e894c7fa75b31288fbda0a7f6c4f15b0b95ba11675e46f6cfde8132051216496cc149ff979c74ed9414d9caa746e8b1ad42dc52a4c253974aef864

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
40a295e9300cbfcec1747adf565de6e8

SHA1
00a0dd48370826b0d4834f053c21ce1b48510a96

SHA256
e5bcc620d0a2de7a34aea1109be7066584ba605bf9025415858b2bea709e0c1f

SHA512
073f61cbe06376995a78f2cddc908f71849e8049c86f369f3518cad010db047c553b96cc86bcc4f405a0a7dcbc092221dfea25749813ce5d075728716cab092d

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
3c8f30d79e53d980aaa6d67f15b83d83

SHA1
aaead525832c659cec4c3a7786021aca10a37718

SHA256
cb9e84cfcb33fcb0b76806cd08d9ab8dea02e149b9227b707b72c93e7d455e21

SHA512
4b7234a602326de11338ca2036b1cd27adc350bd63e419134e8f51d7c7a05deb9f9483f43d9c023ca76873bdc0689db003d079bf5fb02fd47913c50c44a8283a

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
96KB

MD5
b900d8378c58461f0a33c28f4e70e050

SHA1
9258d9ea76581720d3a6370cf3247180a222147d

SHA256
85c292febc940d198cf66febc0d4f7d96c451dffbc95676fec2a074ce2168a7a

SHA512
af1bdd30b11dda7dbf2fcf0c28d842b909ffa13a0159221a1914ba8ad2fbf3049f0fb044edfe8d8b5e02d9caa7ec81a5ae8b2558726a4e98af7c5260c5caa1bd

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
67cf80c6856fc4688c595a135fb1d075

SHA1
ae91b929e4627bb3aa5667f5f37020aacabfd9c6

SHA256
c45c2fafb478bdad8adaa6998cd27764f6dacc57ae2d0ce2be21d9863c70234f

SHA512
ec1320719d3b883e192fd6a3c26f61c71b00b0318fd1adcce8cea08a87d7854c39b4bd71be462e013df3cadd0dc83f67728cde6f294c86127943255baab0cc80

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
96KB

MD5
3a795de74685dafa5989536da47f5661

SHA1
b337b4d0ed62d6e8641337cdcd3bc7119f4eea93

SHA256
30c95775c048b7dac31533f1c891d8b8b673e6159a5a5f9636d5bb025b1f72be

SHA512
e9a76ca04bd913eb8c5b26c5c839135020fb2ff823ac866dd4f95174cae7443cc23f856150cbf912c8d69dff8b74aaae3266d01254b5ca28cf222ba413e515b6

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
96KB

MD5
fd2212596265498aeec7f2796ec538f0

SHA1
5722279596eb0b1330f5a0bb0142935cd2603013

SHA256
29f6282c5ba94454a5ea8d61a1d3013a34583ffb0ad37b2d6b8a170fb8d25777

SHA512
b980acf83a9e2a71c293fe90e817611194d05bd9b3505c9e36b1ad10b61e3b6613331513ad7f16fbdbb90f78495dac3f7d7907e47d15fd43c1e8090db020c5be

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
68a30be0ebafbc941d0308e3cf9e01bc

SHA1
ef8723f1ba70059ae4c9e4703cb0b470b9434b6f

SHA256
0e3dddee2157fdf2afb51c65ef95abfdf2b36f487929328bfb3c6fac715d4e1f

SHA512
719de248e6bb6156adfc5af062191238a9a61ded6525c40556cf773ac28866e168a1789f5b30b36fdabe06677397b9a9f3649d568e7a829242fdb9f3f103f8ed

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
ead752115ac3cc417636f961f38d2a5f

SHA1
16abaf771fca36b60367fb131e36e1b2e0eddf8f

SHA256
3df1b17f3c074d9d93ea83c4e62271248461890c901d30e344ad8db437260a29

SHA512
133330ee217ef1374afc0c3ff95900e985f6820befdac86ec8b2ce6acbe4693ce775149721645b27f4c08823b87af1727fd49d10294744ee413fa38fdcffd707

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
f6d652e5bc004ac7ceaf845d04f3216f

SHA1
f85528b9799afe13084950f57701a7d36e5fd60b

SHA256
a69a496d159541ce7bbf1c4f7da6c7fbb4fc810e610812c84b58d6741c919439

SHA512
d57789f95eb7127f8dbaa377d845abd36ffbe4cd68d51d6eee2038e9d26a6794ed7d722c812752b742d4d6da709e5334bd520ccff057188763a16d47d3b3f99f

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
b575aa9e6f2c4fbdbb3d54a0085fa8b5

SHA1
36db45a3ec60536335757c8dbf399f864262fc07

SHA256
6ada35c99140fd4c543db672806fd1cc777f3fb1e1790510b1a0a33d3efa0a26

SHA512
bb0c5c05d1e82f24528f3387fad61bf22d4e86717fc8c443369c0f95fac8b704e6d4f8613c9a1ee0ce4d75674fae8464193b6d7e0fe32b15d12d5270c9b6e69f

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
c3d4f8a4d6842f4cd290dd3133163fcd

SHA1
910c21d51cd7a32dcfe4fe112167192b2ca21495

SHA256
591cb086ca500cad284f311b921910a09dbe07a0536da84f261708c8cbfd02dc

SHA512
46b0fbadf48d1affb4a49d941b472282c4aa70413909f4a51e4bb1fd2b67334b771e49453a99c5384b950776c51f696fbb332b7d2dd63e3cbc6837fdc6ee83ea

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
96KB

MD5
3ae88166e8d0e1a06ab6f692f195e1a6

SHA1
b3854be2b1387aa66ef3dcf20ba99be6fe028de3

SHA256
8694075c7d0d35bd741e5b4c9256ca873b19eb8ab7fd7f48c5c50b1d9778eb60

SHA512
9ce096be3915b7f62bbe1f06fffe5ce4e476c2a22d73c5304d47c4dce450e8965d1c9d7d2fd0533e25ba1a47d3410788d4edc5d8b27a5d4a8d9ad25f1cfc030f

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
4d358a92e604048445f839ad31cd4fc9

SHA1
b58742a59e9daa16838419fe4bad2c63f09d94d2

SHA256
50f69a7fc55db45971a6f4a29ac64d10c88a75aecd6ee18b49a3e40746da12e2

SHA512
138eb7f31f842ad103334eceef12146be87e625be33c61ebc26a76e42688a328ab40d9036ee445e1f9a57c40c142fcbb2a7febdc4b70e7a6d207caaa5807af52

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
5ccf43f2df434c78970df385c0e6d7fa

SHA1
0adedd681733efd5264a7e01728e10327ea32df4

SHA256
f4834ed96245a662a33c8850913ad73a98d320527436dbbe84f2827e25f45b09

SHA512
f60d117d7d3bd2f724b8a2f5613547bf7bf3a806e2088fe239658f1a2a34ab328092bfcc72f96b1f8e5982bb7929b36a75ea14b0e070c99875e676af88d0eb22

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
f5c2ef3a1caf3d7a9e499fc59c19e46a

SHA1
e3ae175e50ecddfc9f5582532d9e819be4f7755a

SHA256
eb3bad99e8c6d41146c3a666d8de95df408997bf783f081f92d9bd8e730e6e6d

SHA512
7c123759448539eed046099f3ae01d030e4484e6b1bbc77885030fdb8fb56f880b1dd58335cdb94ff02008dbd42fb18b84d26e8ddd4026604e8c3049611c92d3

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
e515d62289d642296f4735e68070d070

SHA1
9ccd5b5435f2db5cb1c22b8e3dd9742d6ad794ac

SHA256
03420a02dd15c6693998f07c54ea8aab8cfb28b1811b94a272d659a3891b7df7

SHA512
33e6f9ae5ecf39196576eddbd9d4c505510e7befd37139202e0c8c103a4727c6b6ec45b765ea8a8ec863fa0269ff5334a4c76be2f1d2df4b44f3ff5400a07958

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
fcd7d8168fd8daa8700bfde9007f8cf3

SHA1
cd7a1f307d911264a7e9239572aff86fd7341952

SHA256
397d5f8ccdf7e35771ae0ab64740a06318d418a2e5342c27778b332324e01950

SHA512
906fea39aea0fe342d641e8e0c876a819de21cb188fff215afd8928dccd3a80c67a83fc375bc0a32053fae7893a5e078a2d4e48e968f2d57b16e6417901a7308

Download Submit
memory/32-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4892-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads