berbew | a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
Size

93KB
MD5

aa0532ef9ea187f8f097d4de582d9ce2
SHA1

4d2f676d248acbbae6edba6859162c886dd71d1c
SHA256

a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211
SHA512

5c505e60c9ccfed8eeff01c68a281d8a1856f1ea4889cdfeaaf3305d3213527f46780048fb690f6ef3df2caf4ec8f887b79a69ceccb50f532e31cb136a00d9a1
SSDEEP

1536:t2IeQL1POfZktFMs3PNTRRBnxjIUD1SZDWFaO8kleu1DaYfMZRWuLsV+1D:t23WOEvIUD1SZDWFaOvlxgYfc0DV+1D

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2380	Pggbkagp.exe
3568	Pjeoglgc.exe
4248	Pqpgdfnp.exe
2336	Pdkcde32.exe
5000	Pcncpbmd.exe
816	Pmfhig32.exe
2052	Pdmpje32.exe
1772	Pfolbmje.exe
1500	Pnfdcjkg.exe
2172	Pdpmpdbd.exe
4964	Pfaigm32.exe
2512	Qnhahj32.exe
2424	Qqfmde32.exe
4176	Qfcfml32.exe
2124	Qnjnnj32.exe
5004	Qddfkd32.exe
1732	Qcgffqei.exe
3216	Ajanck32.exe
1872	Adgbpc32.exe
4776	Anogiicl.exe
2168	Aqncedbp.exe
2044	Afjlnk32.exe
3108	Anadoi32.exe
1184	Acnlgp32.exe
3876	Afmhck32.exe
4232	Andqdh32.exe
3852	Aabmqd32.exe
2492	Aglemn32.exe
1096	Accfbokl.exe
4420	Agoabn32.exe
1132	Bnhjohkb.exe
4244	Bagflcje.exe
1056	Bfdodjhm.exe
2696	Beeoaapl.exe
1440	Bgcknmop.exe
4368	Bmpcfdmg.exe
2932	Bgehcmmm.exe
116	Bnpppgdj.exe
1940	Bmbplc32.exe
4604	Bhhdil32.exe
3340	Bapiabak.exe
5032	Cjinkg32.exe
1484	Cndikf32.exe
3128	Cfpnph32.exe
648	Caebma32.exe
1472	Cdcoim32.exe
4136	Cmlcbbcj.exe
1236	Chagok32.exe
4976	Cnkplejl.exe
3312	Cajlhqjp.exe
3648	Cdhhdlid.exe
1368	Cnnlaehj.exe
3580	Calhnpgn.exe
4660	Ddjejl32.exe
1992	Djdmffnn.exe
4652	Dmcibama.exe
5084	Ddmaok32.exe
2016	Dfknkg32.exe
3792	Daqbip32.exe
3952	Dhkjej32.exe
456	Dkifae32.exe
4540	Deokon32.exe
1104	Dfpgffpm.exe
2928	Dddhpjof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	1152	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2380	2548	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe	82
PID 2548 wrote to memory of 2380	2548	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe	82
PID 2548 wrote to memory of 2380	2548	a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe	82
PID 2380 wrote to memory of 3568	2380	Pggbkagp.exe	83
PID 2380 wrote to memory of 3568	2380	Pggbkagp.exe	83
PID 2380 wrote to memory of 3568	2380	Pggbkagp.exe	83
PID 3568 wrote to memory of 4248	3568	Pjeoglgc.exe	84
PID 3568 wrote to memory of 4248	3568	Pjeoglgc.exe	84
PID 3568 wrote to memory of 4248	3568	Pjeoglgc.exe	84
PID 4248 wrote to memory of 2336	4248	Pqpgdfnp.exe	85
PID 4248 wrote to memory of 2336	4248	Pqpgdfnp.exe	85
PID 4248 wrote to memory of 2336	4248	Pqpgdfnp.exe	85
PID 2336 wrote to memory of 5000	2336	Pdkcde32.exe	86
PID 2336 wrote to memory of 5000	2336	Pdkcde32.exe	86
PID 2336 wrote to memory of 5000	2336	Pdkcde32.exe	86
PID 5000 wrote to memory of 816	5000	Pcncpbmd.exe	87
PID 5000 wrote to memory of 816	5000	Pcncpbmd.exe	87
PID 5000 wrote to memory of 816	5000	Pcncpbmd.exe	87
PID 816 wrote to memory of 2052	816	Pmfhig32.exe	88
PID 816 wrote to memory of 2052	816	Pmfhig32.exe	88
PID 816 wrote to memory of 2052	816	Pmfhig32.exe	88
PID 2052 wrote to memory of 1772	2052	Pdmpje32.exe	89
PID 2052 wrote to memory of 1772	2052	Pdmpje32.exe	89
PID 2052 wrote to memory of 1772	2052	Pdmpje32.exe	89
PID 1772 wrote to memory of 1500	1772	Pfolbmje.exe	90
PID 1772 wrote to memory of 1500	1772	Pfolbmje.exe	90
PID 1772 wrote to memory of 1500	1772	Pfolbmje.exe	90
PID 1500 wrote to memory of 2172	1500	Pnfdcjkg.exe	91
PID 1500 wrote to memory of 2172	1500	Pnfdcjkg.exe	91
PID 1500 wrote to memory of 2172	1500	Pnfdcjkg.exe	91
PID 2172 wrote to memory of 4964	2172	Pdpmpdbd.exe	92
PID 2172 wrote to memory of 4964	2172	Pdpmpdbd.exe	92
PID 2172 wrote to memory of 4964	2172	Pdpmpdbd.exe	92
PID 4964 wrote to memory of 2512	4964	Pfaigm32.exe	93
PID 4964 wrote to memory of 2512	4964	Pfaigm32.exe	93
PID 4964 wrote to memory of 2512	4964	Pfaigm32.exe	93
PID 2512 wrote to memory of 2424	2512	Qnhahj32.exe	94
PID 2512 wrote to memory of 2424	2512	Qnhahj32.exe	94
PID 2512 wrote to memory of 2424	2512	Qnhahj32.exe	94
PID 2424 wrote to memory of 4176	2424	Qqfmde32.exe	95
PID 2424 wrote to memory of 4176	2424	Qqfmde32.exe	95
PID 2424 wrote to memory of 4176	2424	Qqfmde32.exe	95
PID 4176 wrote to memory of 2124	4176	Qfcfml32.exe	96
PID 4176 wrote to memory of 2124	4176	Qfcfml32.exe	96
PID 4176 wrote to memory of 2124	4176	Qfcfml32.exe	96
PID 2124 wrote to memory of 5004	2124	Qnjnnj32.exe	97
PID 2124 wrote to memory of 5004	2124	Qnjnnj32.exe	97
PID 2124 wrote to memory of 5004	2124	Qnjnnj32.exe	97
PID 5004 wrote to memory of 1732	5004	Qddfkd32.exe	98
PID 5004 wrote to memory of 1732	5004	Qddfkd32.exe	98
PID 5004 wrote to memory of 1732	5004	Qddfkd32.exe	98
PID 1732 wrote to memory of 3216	1732	Qcgffqei.exe	99
PID 1732 wrote to memory of 3216	1732	Qcgffqei.exe	99
PID 1732 wrote to memory of 3216	1732	Qcgffqei.exe	99
PID 3216 wrote to memory of 1872	3216	Ajanck32.exe	100
PID 3216 wrote to memory of 1872	3216	Ajanck32.exe	100
PID 3216 wrote to memory of 1872	3216	Ajanck32.exe	100
PID 1872 wrote to memory of 4776	1872	Adgbpc32.exe	101
PID 1872 wrote to memory of 4776	1872	Adgbpc32.exe	101
PID 1872 wrote to memory of 4776	1872	Adgbpc32.exe	101
PID 4776 wrote to memory of 2168	4776	Anogiicl.exe	102
PID 4776 wrote to memory of 2168	4776	Anogiicl.exe	102
PID 4776 wrote to memory of 2168	4776	Anogiicl.exe	102
PID 2168 wrote to memory of 2044	2168	Aqncedbp.exe	103

C:\Users\Admin\AppData\Local\Temp\a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe
"C:\Users\Admin\AppData\Local\Temp\a020542118720b4ce8f82dd5f52747ca92e39ac4e7d766517d98d2dac670f211.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\Pggbkagp.exe
  C:\Windows\system32\Pggbkagp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\Pjeoglgc.exe
    C:\Windows\system32\Pjeoglgc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\SysWOW64\Pqpgdfnp.exe
      C:\Windows\system32\Pqpgdfnp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 176
        68⤵
        Program crash
        
        PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1152 -ip 1152
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
93KB

MD5
92fc9d15ed7abdb284660e9825c99899

SHA1
9f9d196d6555c5782c237d9edb63bdf755109d38

SHA256
3737f88c2e2b625cbb02e82f915300a8cff992cd6618823dae2950a1fe1df6df

SHA512
4f5c8e97c044fcc19e42aa7b915f93ff0595d5bc8134bf2699557c1f4e763bb079b85d2547d113b54064057f7fc03558d94d29306ab89bbfd9dd91c0e52b5214

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
93KB

MD5
8ca6abc05d3a50c8d137200e6f85a4e0

SHA1
2d1b2fd7475eb2fb76e42e2ffbe6385992198684

SHA256
608d91bf9374a53d92ad8e0fd794164a95f70127c17ccf12236adcab240d9947

SHA512
4e1faa1d442a883c58cf59255b57d6b23536844c0c23198e0a886c4c508d9be7aed5ca341b611ca26a11800fe1b192b46e41c251bfaacb55bc6c56dfcaa31f5c

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
93KB

MD5
d7bf0d96314f449d52fab7b6b48c5533

SHA1
85cdabb62f5c40a02e127da468c11b45fa15b107

SHA256
ed1b4602128f515bfa7c74d6007e9f71b80f2a612e84b893d537197a1c61e701

SHA512
30862311ca72e0c9a912794019c0ea90d0231db0992f0c18b03651ded39adf5b69ca4fd53d612ecf4469f853f068b93df15cd13c60273a754cb715a334c94637

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
93KB

MD5
e57f5e46e19fa8023ddeb349ff23bd96

SHA1
be01d3a10dfb594c1bc132a059c2dab65738f9fd

SHA256
47806a102cd82f9b3398451cd9c40e69d01afe70fc81e1a59a94410e2d150fb7

SHA512
bddc605a6ed8aa393c996ebb3a03401ba5f58d12f35a6dfbf38737f1a9dcc5f054c311d31176b0721ae72baec5d47c947e7466e4deea5a8d443c5625f4b7fec7

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
93KB

MD5
9b0ed1e8d57b259deb774c4ba65f317a

SHA1
c23daa6f16d9a275e63caad9a628bcbe8cd8801e

SHA256
bcb4cedcb233fcc255b30b481422cb215a2a9b5b05d28ffbbaa4a8d78cfe9080

SHA512
c6f6d97aed6b3a98cafcc6a932be8e6b435a90e1aac8e07a2b67a0e77fa5b90ea2fe2e33a2bcdcf02e480f89bdaf3dab129bbe2a08ed20fe2a4652e3501f76fa

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
93KB

MD5
98675fbf342fea2be0f886a237d1299f

SHA1
23682f735384e1f2d14a925de8b84c55881c8722

SHA256
279f5f101a3c097080ce5871d1b9cc79678e545fc48d829fe09e6d328be4885c

SHA512
ed997a4f453d36ade552fec2c3c1fcb5cac33bcb509dc75e78aa2bb49ac5a1ff87592b08afcb703be179cf6298b76c66240b7d6c6d2a7b96cdba0d36d0fd9e29

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
93KB

MD5
8a971956cf7e3dbd681ec223a1c9df97

SHA1
1a0f2a8714b39ab3021bd3edc2c3921ab03b8b29

SHA256
a0cf27fa43eca875e0003ef7ba68a1ffa769dac0ff79a54055e4edc52bac2e27

SHA512
ec3d1387bb211eb8c6d94fb7c289068ea7a31cfa53982097daca9af189ffc4302fb310a7b4d49e354024e7cdfd2944f34054058a04fac6cb4e63579b854e5229

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
6fdf9d04205978a68111cf87e9804b68

SHA1
136a6697420239746583493a2b9257dc28fd3e2f

SHA256
cc3e370522549444ed8936390b6cdb200973f53d31040ba4c088d5adc839499e

SHA512
d6db268e7885d9f6bdfae806d256ff59e882f9c3f27e88b66690d93c82d7ea269319ff382a5aaf3935e9bbff0c4f058a47089e3767ba3d6ed257ae046c73bb72

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
93KB

MD5
2cf8a304a78627cbf337762cb217b630

SHA1
0a87ab5afb4848dfd22562cdfc22aff5d25b417f

SHA256
126aad2c6139ce680769a6e0a38d82da27556d72100ffe76f39640a64100c666

SHA512
d44b0f7c31524774b793c1b5684ec8e52c92f1c9ffb5122a4bd00633fa2706d9e166534c6204aa7be7281aa541c9f7f6460ca01f0962044ee0e4ba06756f8fff

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
93KB

MD5
4411dd9b35605a1b684f63256b2afecc

SHA1
6c29c7c91733e2c7a90794ae75542853899a3367

SHA256
eaa0d183340bc3e542e9179ff73b57ff33ce69dfa96a983ab5d0d34ad70c5681

SHA512
962279360b27fb42b2f382ce0c95a6c272d38500a6184a71317826ff62ee61923519447b1fa1109bd2dcb5cc1d9b2407b3ef4a933c0ab6782688eaa4ec52ef61

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
93KB

MD5
72a558dd4be5d708e46ce2476b614a84

SHA1
4b42beee418f3847a2814260c7f30827911545f7

SHA256
ba5f9dc6ea140ccf7d747322478e060009bd0f311a0e9e99c35b50b1e6d8c5c8

SHA512
ba4403441439d60ff1de757f23931d195eb802806013382017c71090b8a73b8e410cb1b5e9be7a0cb189450cd048a33118eef8837184f139787c851a9ea0c904

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
93KB

MD5
0987e7c61ffac1a66862a68d1fdde8d6

SHA1
0ac925a6ba3d4f4d7b49c9ab73384c5a8c9ead5a

SHA256
fd6eebd53be46ddd0d104ccb9b57e2ebbf706c3d58e78f84f3b6581dbf48dc4e

SHA512
b9610ec5db2d4c0e6150fee14e6c335116ae872bb0028ae67f1b563889a03c8359f562d7ee30ab3364ad16bfd397bca683b23c7d8002e4c212c2e8e13b3ce0dd

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
93KB

MD5
2164e8068d1091b7f78add80e7e404ed

SHA1
71ca511007d4014fd58b31b4e43ea14d17a41864

SHA256
9727928467da1649f064cdf997c664b19697adebd6a2947242042d55d707318c

SHA512
b93143929fb72cc258969fceb76f4d22061496650387cd62a2724453bea492d14025aa39106da8f692171f73b66fc20c3e6f6651c0ac26bf2ca4691544f9e48c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
93KB

MD5
1667aa60d6fd575dcf6dc65729eaf8a9

SHA1
cf2f630c9486af58a15467b78d2ff1bf67b80b2f

SHA256
10186c14fec4b802c5fa818ea64b4a80f89c70b0cfb5e9b68f977217377cbc60

SHA512
6b2e1fd689cf16e779c40c3abd9a61c19cb6d2431c07d59387fdf2135ea9a1e749cfe522fb8b60cc8bbb313c61f5205e5b911d5dd358932bf060216dbfbe76e4

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
93KB

MD5
e3a727f256cb5f6375085bcde77fe55e

SHA1
8aa3b57bc4a087daeeeeb51de7c5796da2998b6f

SHA256
14a3e71190c7a0f8407570e53b1ae70edbaf51961789412c34142ddd2ef6b969

SHA512
5daf9e20e614ab93296f0e7241571bc4c01debe50b3187aac16be06ed8e587378119521183d26db314212743c06b9ebf679df27bef349abf99a8d38992777235

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
93KB

MD5
c0a9c1d4261be458a458e4f91f28b864

SHA1
d46dbda95576c8466894037e8fdb4eea6272a5a1

SHA256
9630927411ae9fb09bb7ace4c13d2a8070b65c4941011b6d609c5175de845f8d

SHA512
b96289b16735205e6aba02d64918fa7ba4f694a4a3fbc2f7091b53d0b56cf2ce8f93581b1fb1ab309a555c2a0fbbcad04a8fc8a9960dbf3b57a5bce011dae854

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
93KB

MD5
cd538a8b586fa28369b06bdc23fb0bf2

SHA1
cdd1e867cdac7e8cf975662bd700acd160c9421e

SHA256
2420269e59cc18ce10ab5b99043e1f6362be20c1dcaf80938a79801d8130417a

SHA512
053b72f28c92b1562756f94a5f3e9fcfa79065023de19899c30b8fec86f8b0020a5ed687fd7143be69fd958faaf28c34624a8e958b234585f9f97ef8d3ad0e48

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
f2b1c926a71c432f50606e00807bc893

SHA1
177b4dcedec099dbfab2bc9defa68255ac9e3f29

SHA256
28ac93345b8cc4cc62e4bc50c2bbf56bd781e5996592715c05e0878feddfee4d

SHA512
5f672d0406e17bdace76803233c32b1c5d6527b1872384589081c0a8df2a0802733935743fe5463594941e38cbbe8053b980c580b55018e4d2e6ad382c13cfa4

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
93KB

MD5
cab20459d00b24ad94834679530cd36b

SHA1
47f578ac8d88e433eb0f2784e495d902c48aeb17

SHA256
47717032305ff0f4e53da00556de768d708e4d6a5c640eafffadf2ed6f7d0e2d

SHA512
e897345bb077b4d35d3e42f3dee19de741e9b5285e6f65f1d92112200b12632be43de7cc4f8527aedf2c927f6798f548baf0ca8265c2002c0b922cba726d781c

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
93KB

MD5
11a5f74b389c8127804266114116ded4

SHA1
655974382449068a68fea491328a6770d1d8d2c4

SHA256
d2c79e43ac5726e5a0151d613a6a34130a01a1d01ce2d35c5e717189ab6a63dd

SHA512
09a2c04f77bad947fc7c5df98dbdd3dda18f992992b2d5f3c3d7d2f9b451122ad1afeec11ee118c6f6f178432b21f90e2b703a1e9ef08fe2b9cd75f137086b1c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
be25235ada98edf893afc0be9be7e699

SHA1
14a6d13c5988a4f7333019295f6451a1c5a861ad

SHA256
81604486441c1eddf6c0e662e929dcaa7119f031bfc47d5acd61c9405115403e

SHA512
1bf0eb2a57f12acf3e52b06be24b4b121cefb3a1a5c5009ac0ea8c7fb0476aabd49335e3a4122e9edd46763a60a416e5f137e604158801fe5e11129a9d0393ce

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
0f0e62b6e60b3427fd0d9b77d244eb1a

SHA1
94f6c4641d2cc56400ab53da7dee8de30ced896f

SHA256
ad180310d806892c4a7049249e7821b175995bc775e18c7a5ae1625700025735

SHA512
75dae019f02e2bbbb706cbdc9f9a4714ee3a8f93cf9d1afc74db6aee8c0655a5876cf5b4132e1ea32c666f4caa34924a964188770201786611135fcba5cd1e88

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
55061c54ec5364f0d5583f1f865c323e

SHA1
b74d866170fa579e5f519e187ec1ff87216a90a7

SHA256
39209f8573ffb95caee6906840258c042b1b4a12d27d888031daf047222e77f5

SHA512
2ea3f026859deb45e49d994353e67aa797cad74f47670cb6d00c494a2fd62bddc20be996e9799b5807ef2bb41c545785682c634577fa74996b35720005c2ad46

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
7eb667ac88482835041ebbe22dfcbf91

SHA1
7042ae0582d5b80810e4300b92b3ad73885a6eae

SHA256
5e51674677268ec1f60dcfe4dfd99c361102f5104f716dcaf6895495c79d269b

SHA512
d2cc1637fd31f4e42a726a092c2ecfa1a68a807dc06e1d6b20a706df360f27b8d20545619c7672a5043d4b96b404527d60934459889ab1a07f78bdf01c2282f2

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
93KB

MD5
fb3fb8a4ad4e6ed0f4eeba3854f533fe

SHA1
707e2b25d62563e6261119462f993281000f99f8

SHA256
aa0626394feac8be54b519056fcecd52538f0fa838b5ad7c25a48cf6334ddeea

SHA512
9dd9b5dce54984014a69a38b3fab7a2623934aeef51836ac6e686743f483933a4d53b00bf3aaf18adabfd618eb433a82b9a905a04d2716bb51ae970ef8b4b432

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
93KB

MD5
e1103d527566f698597b9d80281a939b

SHA1
8f5987138c05a3ea5cf3e19bbb0909b38f1e82f5

SHA256
d0cb5e83a9f6525aa450d5f333089efecebdc5444b81a269655be2954cff8b65

SHA512
8004f8c0251b2d07a059074b7497e7cbae1cfc455e7f8c4f1e27b9441ad7bad2afd300c766d77af2cd70aa1331000f98fec87ebb80b657039b2caf52dc499e91

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
93KB

MD5
3a4f1876670e96354f1d66a853a954c7

SHA1
3d94561ebd89794c474fe3393aadc425f34daa42

SHA256
e015e01ad51fc57e4e441589d248d9c5ad06036db181c7f8f96f676517be9f30

SHA512
401b8f2deb8ba2e7442423297f2582a8c3a6a04108d3c0ab742886d18df22400753ccf99d08d26581ae027fa5cd2943cffdb9482c195e8a54b16b90fa0365cd1

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
93KB

MD5
65a2248a2694e40abba6040d2fe79f1f

SHA1
bd48bf1153e4d280e9933a6a5eb9670b0c84380a

SHA256
50291ef827331a497d9579127c4536b1a4f13b36d83416fab848184d58bd26db

SHA512
c3a5481dbc92c19e6a1dda7b629ae0b71199f57e59d65d04a13db6673c3c9c73d9b9f2fe039f5db4f2cb434ec0ebd3678e2fb5bb986ef154b244fd4cfee52951

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
93KB

MD5
c1a8b8ce90a12993a1c1f6bd08b677b4

SHA1
2f91961a76de4c0f16a398ec5ea2c27d9117f7c1

SHA256
d26ce7162689245960d8fd45f4f57b6538763fc9a432705df76f97b7f0af7f30

SHA512
5e0173f9da5f6a7e7666f738a11ee20c144a8d53598dedc36895db5d961e5dfb9a675c1fd4135d93457d284c149a35bbbc20734bbaeec094d49d27f5920c7b75

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
93KB

MD5
c5d06f73c7e126ee8200991a77c34124

SHA1
92ff7d31ad7709d0c7c05b50c5e7826017426963

SHA256
51a43d71ea4ecfdc7122f936a7fe947626a2f7c27c8850a4333c5fc00d11a1c7

SHA512
4c2a7354c4acd97f05f119bdbd590ae0245aeb47d1646aa7b5615c8d806e1de2c17927cab599e0fd0e0e3ef4f463b65935a843266fbcfffc154ed3c8ecdba231

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
93KB

MD5
4e9c9218d1c2ca0f17b8eb5e1e28f4a0

SHA1
bf3b37d7f5ce412ae7ac7c0c293607ed52556a77

SHA256
3d968a6f5939553d63fbdf81a66609d67758a76c8f64bd01495e0ab7ef72d552

SHA512
9a5860f40ecd443351f38b69219f9a9fbc55687c8ae4b3d46a5379f8205d7ee39877eb1d5e343230504da5ceb21ab8dd41983e1d32589f717272eb5eff08ec67

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
4948d406687f0f2cd1f4bab353da01c1

SHA1
936a0f96560d28e70c239c30ae681b0da3c47c7b

SHA256
64c2eac89df0a70622e24349a40242b552ae59fc5fac590c613174fd2129b98d

SHA512
7d3645899de6086e1aa6935ca0025c05e9f6c788be2567f8b0c7c3703cd4ad5787d9fb910c8a9e6166540cfe1ff39bc450ccc87276d6a05f709e4c5e039d0315

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
93KB

MD5
d02222a9dc61330962b8509138363590

SHA1
310900ed8cfe1e85102dd9714ee05d2d21be4ab2

SHA256
6739c7dcf887da1ff3f8b0bf59b9ec942bee5cf61aedce8403075b2abbcfe2a1

SHA512
9daacdebeb1bb1b7f34cc2b673bc87fa30038578955e021207de4ff7728e55fb05ad5f5f447ea759f41870e3a26521d6174f65637a724e71e4b07d8c057fce72

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
93KB

MD5
eff643308506c1a0804e5575ad03e693

SHA1
6d573a8cac85e9be6c26158f0439e96e7728b2f4

SHA256
7e3329f4fdcad3b51336b31efc8a4ed3124a87200fb24a9c49fa620a6c883c25

SHA512
e10d7d0d82251d09ba404f351f3d9b94824b9402c5ddffccad36c7a17cabcfedbbe661cbd086832f4628e49166fa13acce22f52ae68dcd5cbeb0ed4185cfd5c5

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
93KB

MD5
cc21468895d9edd7d5423d398e87fbd7

SHA1
56767bfb5972911499c297ec1bb803babe17c403

SHA256
ff9370733c96af3df3741449301457fa50746d7eac7f4da7735b31b1157fbd4f

SHA512
ded776a2acb6fa704f1192f2f5dcdbf135d5b310747d00bf45c8ec0404c6c36902a0bca2b1f7d524cba0a85838485c8ad09d9df0b4e1950059f7a3db7f4bf1ba

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
93KB

MD5
0831131b729b5fc25a1519befaa1798b

SHA1
3e4df06486ff5c83249937a0a99bfb61846db61f

SHA256
a6027061fa2e1660c5bfaf01b46512493867f743b9334b6761b71b7e12e72316

SHA512
3c8d71595ff76adec3165cf84e3a5e74c8dfbb3ed57be9b333c08048b7b28fc0efea51b914b30f6e71fdfc8b8a94fe6cdf014c249ae2a56463117c28fbe1a429

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
93KB

MD5
f41f5a31cb2dbb55935fa1cac5ac9708

SHA1
ad630a292fceaa389f50c18f854b93765aef6517

SHA256
9eb3cbaa0287443d24add1a8a55f6aacb9f6788698934879da0761e562c41bf0

SHA512
b04a2316edfcc1ca39cbca30b7244b929ba82dc4fa8fb9c179343ae9ce1ece788067feb10b5f42a4cfc5510ed0f28bdc933c001b73632fbfe8522118f458f85e

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
93KB

MD5
b4d2f18e135b65fe9e78695613032c24

SHA1
7292f836e20e0243c69dad061f1276a90ddb4dca

SHA256
efee51ee1bb90e3890836596c4db91afc22f0369fc617af23a698d69f58cf072

SHA512
ecf4bb5ea2c34784870965b92a052103fbe4e0548678dc793550aeb3bb9041c138fd662b1bf765623b90903873f200e15021b8b9bc56b91824edde8bf18dbd97

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
93KB

MD5
1849ff2dcc539489849c31ce743ef47c

SHA1
57fbac58a01074ed2d00fb2c995e7280efa19252

SHA256
8b8ab3b074ad696ea7455b88c0835dc96da10c729df11236512dc2228c419f29

SHA512
10b2ea94180bd529830c9b60468fe41016d062bb418c4345970540f4e3c2cb96266e62d43c715ba1065eb2bcd775608e07257852b11b2cafc114f504aba1355b

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
93KB

MD5
399c90acb70ac5e7260f9b3d5b4d3a24

SHA1
e4fd021b73a4f1fbaf37b3582d5fb07ce3071104

SHA256
4554d83fe7a3508d37515945107c0bc3d39bdc621cdaad1c0c4801a974502079

SHA512
6d6b4545af294c42408c58fae4734e852419b3ed944fd7f69ed2e61a1a88abb5bf1ddb1abf03563d5be2e23d415e4c7a4ebdb7a694a63473b6ac8a987fa75174

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
93KB

MD5
8977175a2a92aae2c6bd54fec0f67026

SHA1
6a9aa60b046c25a5ea90849b71ddfbe420cce7d7

SHA256
a196e29c9f7e51806dda62c0476e8b1e93f0c4e5766da618d3ef02d7b633cee9

SHA512
7cf511787f7950c1e4cbe9efca53ffdf500ec9bc344ec2978b644d9d2e10671ec15b43e508195343959439f039e682303bc332973f4ca7b6ea252e6b0d8e332f

Download Submit
memory/116-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2696-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads