berbew | 3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5

Analysis

max time kernel
93s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe
Size

70KB
MD5

26a94394e256250ee719d25abd36934f
SHA1

cb80771f15ae50d4907d7978e699da43bb2fd23b
SHA256

3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5
SHA512

c2d2faa1a671eb5da42aafbd09f78bbd110405afbfcb94766e7f13ea19efcf622629a191480f818700317a6cc6c7269a5a4d408e184a93ce3be151f8773939e0
SSDEEP

1536:x+RH34FIaR8YdGlrA6b2LiRF+FoQs2jvB/w:K3haaJ0iRo68jvB/w

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4228	Oqfdnhfk.exe
1284	Ocdqjceo.exe
1224	Ogpmjb32.exe
1728	Ojoign32.exe
3500	Oddmdf32.exe
4840	Ocgmpccl.exe
840	Ojaelm32.exe
2708	Pmoahijl.exe
5092	Pdfjifjo.exe
556	Pgefeajb.exe
1456	Pnonbk32.exe
3376	Pqmjog32.exe
1840	Pclgkb32.exe
3116	Pfjcgn32.exe
1552	Pnakhkol.exe
448	Pmdkch32.exe
4256	Pcncpbmd.exe
916	Pflplnlg.exe
4672	Pncgmkmj.exe
464	Pqbdjfln.exe
4480	Pgllfp32.exe
756	Pnfdcjkg.exe
2164	Pqdqof32.exe
2760	Pcbmka32.exe
4976	Pjmehkqk.exe
4952	Qmkadgpo.exe
740	Qdbiedpa.exe
4736	Qceiaa32.exe
212	Qjoankoi.exe
4788	Qnjnnj32.exe
4560	Qqijje32.exe
4696	Qddfkd32.exe
3556	Anmjcieo.exe
3520	Aqkgpedc.exe
864	Acjclpcf.exe
1784	Ageolo32.exe
612	Ajckij32.exe
3644	Ambgef32.exe
4592	Aclpap32.exe
888	Afjlnk32.exe
1540	Anadoi32.exe
3480	Amddjegd.exe
4376	Aeklkchg.exe
4940	Acnlgp32.exe
2136	Afmhck32.exe
2588	Amgapeea.exe
4868	Acqimo32.exe
3940	Aminee32.exe
1760	Aepefb32.exe
920	Accfbokl.exe
3124	Bjmnoi32.exe
868	Bnhjohkb.exe
1556	Bagflcje.exe
4076	Bebblb32.exe
3460	Bjokdipf.exe
428	Bmngqdpj.exe
3616	Beeoaapl.exe
1852	Bchomn32.exe
4804	Bffkij32.exe
4348	Bmpcfdmg.exe
2736	Balpgb32.exe
2412	Bcjlcn32.exe
3980	Bfhhoi32.exe
5180	Ceckcp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5380	5232	WerFault.exe	181

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4228	4960	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe	89
PID 4960 wrote to memory of 4228	4960	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe	89
PID 4960 wrote to memory of 4228	4960	3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe	89
PID 4228 wrote to memory of 1284	4228	Oqfdnhfk.exe	90
PID 4228 wrote to memory of 1284	4228	Oqfdnhfk.exe	90
PID 4228 wrote to memory of 1284	4228	Oqfdnhfk.exe	90
PID 1284 wrote to memory of 1224	1284	Ocdqjceo.exe	91
PID 1284 wrote to memory of 1224	1284	Ocdqjceo.exe	91
PID 1284 wrote to memory of 1224	1284	Ocdqjceo.exe	91
PID 1224 wrote to memory of 1728	1224	Ogpmjb32.exe	92
PID 1224 wrote to memory of 1728	1224	Ogpmjb32.exe	92
PID 1224 wrote to memory of 1728	1224	Ogpmjb32.exe	92
PID 1728 wrote to memory of 3500	1728	Ojoign32.exe	93
PID 1728 wrote to memory of 3500	1728	Ojoign32.exe	93
PID 1728 wrote to memory of 3500	1728	Ojoign32.exe	93
PID 3500 wrote to memory of 4840	3500	Oddmdf32.exe	94
PID 3500 wrote to memory of 4840	3500	Oddmdf32.exe	94
PID 3500 wrote to memory of 4840	3500	Oddmdf32.exe	94
PID 4840 wrote to memory of 840	4840	Ocgmpccl.exe	95
PID 4840 wrote to memory of 840	4840	Ocgmpccl.exe	95
PID 4840 wrote to memory of 840	4840	Ocgmpccl.exe	95
PID 840 wrote to memory of 2708	840	Ojaelm32.exe	96
PID 840 wrote to memory of 2708	840	Ojaelm32.exe	96
PID 840 wrote to memory of 2708	840	Ojaelm32.exe	96
PID 2708 wrote to memory of 5092	2708	Pmoahijl.exe	97
PID 2708 wrote to memory of 5092	2708	Pmoahijl.exe	97
PID 2708 wrote to memory of 5092	2708	Pmoahijl.exe	97
PID 5092 wrote to memory of 556	5092	Pdfjifjo.exe	98
PID 5092 wrote to memory of 556	5092	Pdfjifjo.exe	98
PID 5092 wrote to memory of 556	5092	Pdfjifjo.exe	98
PID 556 wrote to memory of 1456	556	Pgefeajb.exe	99
PID 556 wrote to memory of 1456	556	Pgefeajb.exe	99
PID 556 wrote to memory of 1456	556	Pgefeajb.exe	99
PID 1456 wrote to memory of 3376	1456	Pnonbk32.exe	100
PID 1456 wrote to memory of 3376	1456	Pnonbk32.exe	100
PID 1456 wrote to memory of 3376	1456	Pnonbk32.exe	100
PID 3376 wrote to memory of 1840	3376	Pqmjog32.exe	101
PID 3376 wrote to memory of 1840	3376	Pqmjog32.exe	101
PID 3376 wrote to memory of 1840	3376	Pqmjog32.exe	101
PID 1840 wrote to memory of 3116	1840	Pclgkb32.exe	102
PID 1840 wrote to memory of 3116	1840	Pclgkb32.exe	102
PID 1840 wrote to memory of 3116	1840	Pclgkb32.exe	102
PID 3116 wrote to memory of 1552	3116	Pfjcgn32.exe	103
PID 3116 wrote to memory of 1552	3116	Pfjcgn32.exe	103
PID 3116 wrote to memory of 1552	3116	Pfjcgn32.exe	103
PID 1552 wrote to memory of 448	1552	Pnakhkol.exe	104
PID 1552 wrote to memory of 448	1552	Pnakhkol.exe	104
PID 1552 wrote to memory of 448	1552	Pnakhkol.exe	104
PID 448 wrote to memory of 4256	448	Pmdkch32.exe	105
PID 448 wrote to memory of 4256	448	Pmdkch32.exe	105
PID 448 wrote to memory of 4256	448	Pmdkch32.exe	105
PID 4256 wrote to memory of 916	4256	Pcncpbmd.exe	106
PID 4256 wrote to memory of 916	4256	Pcncpbmd.exe	106
PID 4256 wrote to memory of 916	4256	Pcncpbmd.exe	106
PID 916 wrote to memory of 4672	916	Pflplnlg.exe	107
PID 916 wrote to memory of 4672	916	Pflplnlg.exe	107
PID 916 wrote to memory of 4672	916	Pflplnlg.exe	107
PID 4672 wrote to memory of 464	4672	Pncgmkmj.exe	108
PID 4672 wrote to memory of 464	4672	Pncgmkmj.exe	108
PID 4672 wrote to memory of 464	4672	Pncgmkmj.exe	108
PID 464 wrote to memory of 4480	464	Pqbdjfln.exe	109
PID 464 wrote to memory of 4480	464	Pqbdjfln.exe	109
PID 464 wrote to memory of 4480	464	Pqbdjfln.exe	109
PID 4480 wrote to memory of 756	4480	Pgllfp32.exe	110

C:\Users\Admin\AppData\Local\Temp\3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe
"C:\Users\Admin\AppData\Local\Temp\3a4e5f29de778d3c6c85cd3caa237ff0de23477ddef31127dab543c53bbca2d5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\Ocdqjceo.exe
    C:\Windows\system32\Ocdqjceo.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\Ogpmjb32.exe
      C:\Windows\system32\Ogpmjb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        39⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        92⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 396
        93⤵
        Program crash
        
        PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5232 -ip 5232
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgef32.exe

Filesize
70KB

MD5
835879640272af19616f3478eb37c36f

SHA1
8a764f81e4dd8e683de917029c2e9bf0e73fabf8

SHA256
934e69e1c651ce6abbfea643b4152981342aa8c72b0b57f3ecb678580ed567f1

SHA512
57bf022dbce0835e01ba18fbe2d340e1c56504537385b9a06da5864b22d0a76fbeff5721a45ffc32190ab2764717f133687a30aa5c264504977c56173148fbe1

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
70KB

MD5
b8c484e118be54d3814545e059e43286

SHA1
d904a3696f7e236983b56d1e4c209f45852fb454

SHA256
dd6ff7f3f76a4326b961bb83ea071e2ed31431eabdeaa64955513eb986c2c475

SHA512
b63b05f150c2d9b91c734279c197a7c51631a193cf66dd541f0ec42783b6f922fc82390c716d4e5e2c294c04c2e5c59dc61d41108b7f815baac602a39b708c09

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
70KB

MD5
f678fe942971e9bf45450dd81712267a

SHA1
40e1d5afe5ede61e98db172e1cfb1703d453d285

SHA256
83e550083a34c89578a1aaa5fd918a59c8cca902d13c99e7512494b990236eeb

SHA512
c1ba0ccd1bdf664f586971e6f1dd345098b44c120821e07de2750fbac9e57717871c89ca597cbb1039a394f818b3cc85bf68afe029503fef4f7b4cf44bdc479b

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
70KB

MD5
571c06840a3729da9eb6b29abdfc2c68

SHA1
cff37af7cd8553772da37b38121744e029939d97

SHA256
9b286849195d7ad44479b17ebe708399c4e6725c8d44f2594ca2a01e8176b5e8

SHA512
7ccd3acd5ec2174519c55dac9535aca2e43a2507fd931f321d8bf524f829c30bdde045e23aaab0421dec6b7d14b66cb37064f5d55568772094214f3e58135f95

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
70KB

MD5
0083533c4fac5ad0de19db520b9455a3

SHA1
12aed4cac7a5d16bc4dd96ce7a0efad0dcbf29b8

SHA256
fb229ecec54ac036000f5c4bc63077776ce0aa135316b75a36cba9da5e5ff28b

SHA512
19bbb21d23920adaa3c4aa66a45015b4d2b8aa22e32295b41bc2862428e1bc7ed709502b2f7447dc4f1b386783d782aae645536cc04ca4af1dac0dc4067bb864

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
70KB

MD5
77304abf37c46a86c0fec9498bc72139

SHA1
ca2f4843fd0168467777c1fc58a7f2d0c4aa72a7

SHA256
9c8a963d3330c8a74eee7fdb94dd5de945f82c619f35ece4d0496618bddfd409

SHA512
1ea0358280b3e663fa62f01db52fb178d38ad2a8d705e7126e69896f662115f8530963e7b65a9a5e9359c2320cb53356581530e5e9d6c7cb273170398d400d51

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
70KB

MD5
e8c30f3b936b5f407e4ed87ce4b835f3

SHA1
c7184ecdc80ac4418f1ee331a578d8b992a50f79

SHA256
a07421572d0a571ad46f1762ba1425043281c1525290671c2b0d8bf3aabeeebe

SHA512
2b99d3df29312fd6abf006646b2f1dc5823fc2279f060814178e46ab2b1a76f5066a0f3fe139aa6e1f1ca9b5edfd3b5aed7ac89157c07a27dceba65bbc96faf4

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
70KB

MD5
3c7cab0d2d2989e0428048bd9db67bc7

SHA1
e1526c7722c44c6265dd12e98e8dffa92e77d1fb

SHA256
f5051cd8acfb52ef5726d48c220d451855aeabecf81f77d28441780d99a8fc23

SHA512
bb74be7728092554ac5f2397cd6bb97ad7258320261fdcd342d7dbe14b74fabd31d6c9c12750885855cea7943a3794b0c4c590f5cbda6d6bdbe0d6ed69342272

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
70KB

MD5
e297da04b6877263ac0a36f8345f73d4

SHA1
f43a05edbed6802d0c50e1c418a230faff161bc1

SHA256
88df1ac9ef66871227b7ee725e5bf0af39c629e3c4f9ff04569196df5d12351b

SHA512
7cd23d6aa27ffa262775870a753adebd6f8614e821d452149e508a875ab07ea5dc8ba81b0eb15315dbada380841d03242ec9d2e4a349eb48b1072379eb9b9002

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
70KB

MD5
e4720e0c8ace50cb694a421038b934e6

SHA1
fa0093a55a8812cad0ff12e07a3546f3d7ae51f1

SHA256
1cc5c0500d6c0ee61058ce7b2406e0258dbe0e927986306c41baf049be6d2f9f

SHA512
fc31344711b327725eef4f4bf25737f30ad0e7e107b90da82131100bc53bce503d54bcad8c33ea1479f4e5058c8250242e7fc6caac11f8f17d5cb06a55eb5e78

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
70KB

MD5
a438a8e152ac0b12f2d5aaa10eab3b4a

SHA1
34458ba3509e17bddecaf9f8814df826018c41f8

SHA256
614a39ab973c00cdb3628e4249c5fbb96ff810ab0fd9099545a213cfd0984b45

SHA512
5e0a9cd4af60ef47e1a95bc7542ed17b67563d59e682cc468ca570a222a353a5a761e7bf0ee7979d303781419dc8931cc3006b21c9f876be1018e4e37348ade7

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
70KB

MD5
f64cbf2f48577789b87bd21ceac10607

SHA1
6c3ca6237baede813404ecee88d1d841ee561ef4

SHA256
50a7f050a634dad2336c49a964ca593a66fcf66f62ec2f3de53ecad180e779b8

SHA512
7e15b428261b60e45fab0b7b4148aceff30240661523b6c9b21ff128cc7623edbd8322fbf15bffdbb9244d5617366545ce373380b59db556be76edafcbf9c85c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
70KB

MD5
4d63532030985a877805687bbe35473e

SHA1
164d0fcd0e5508c3024e6e3f69e4a040e1bab056

SHA256
34c411f105a14044ec11656a5a7cb18ee0e897e4224c1ab877d9e8152e8ef5b5

SHA512
0898a6bf7b7f4db15431b7c3222e24d2f032dea932265d36109106dbb1d47bf80569815119278fccfb75fd5814fe8e21a48b23a312c448bdc48fd7f896a40a40

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
70KB

MD5
909dc236ca25e28a17f4e1a46030645f

SHA1
188898cf7089309eb4ef206260523c3fc793f75d

SHA256
6d8cc01312a8d689a0ad58aaca3c9f2895dca8c12bce888941de1cb3d2f082cd

SHA512
d69a43a2fed6ef56b88785dfd383828b4bf55543f41942abb3a0b4f1f6aada722a0997ee39d22d20c8e639b5472a3e1b684db34dd2013582e6a8a84f44a7057e

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
70KB

MD5
54aea03a8e6cd079694bff8e80de5dc2

SHA1
58b6d75d9c28ecbc5423872d394eff4c1b6ef6b1

SHA256
2e0484325c3bd49beebb2834806a8d5dd0bb02e93f17fb90a3a9698b56a77623

SHA512
f533a82706b785d6a21aa9cb72f7b5207efa16000f084a495cb57341ee4d3c92f3b24410b7585f94209053cbe70f970b310a82be4d98bfb2473c9b67ecab93a3

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
70KB

MD5
6bf1d3d1e2ef83ab25a7a8debbdee678

SHA1
c472e279a859c0d00f51b0f82ef1a88c951c9c14

SHA256
802278fadba01a7bd7d5c70ac208363f7f059b4c95bd8d87396d6e65f08cd958

SHA512
97d5e9633a79552b4c74f7bf47d54567e7199385ce53e7cec88edea82c3f89f44f5a44c1800123e6edf3891d9a53141e68052c817de73887a5c4ed6e037bed51

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
70KB

MD5
acf550cd23f5e162b9f76591dfb26ed2

SHA1
ed8d7c02f8fd6f5c891dfa61377515b4cbab4eaf

SHA256
63ed3097e71b47513d6b782fafd0853a45c0a8d4fb43afc096d57808f919d5e8

SHA512
57f5cd4031d8b70c5a3921a4a54f051e637f1638e75b2bb8111187a8ca21287297839176b961d0d38bb980d3dfc71c593e1750e03684132c04b3f0789a9d8152

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
70KB

MD5
5baccc16b6019c10b39d9f0b2d319b78

SHA1
1638d327f9cb72329e32549c590ceaa9a86a8559

SHA256
a0c29789f34a63e364e36eabc7fbdd27d4fb9ee4865b829ea25688f1a5e27ec8

SHA512
6221757c3d3494dca2b2abadb21fe6c91e60ece6b6e01e6c75d5af674899d67957bed63802ea5595c9f03daeac2233308913120c4e00cdf235667f32c03f7e10

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
70KB

MD5
1dced261b2939f50255a418a260c6450

SHA1
a37e936b4d7c8e5bcc44de60fd1f60f86ae52e20

SHA256
a449bb982ecf468754dd219c123dd62f341c1db5694678d90434114f19cb8a8e

SHA512
6fb52faac13b7723cb1dc1643b20f1a6d5603b30d7b9356b05869bdb075f758765a5a8c8988e020ed11e2756d3c47164eab000569ecf1301a8a93c8a7b9724ed

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
70KB

MD5
35ba7ec47fd65dc090e6eaaadb6e07e1

SHA1
cf6855d7e0aa20581dc226e8d165268094b4d75e

SHA256
35b3b6394363cf6573fc346ef4b520a9c074ce80325d1c9e5c55c16633244189

SHA512
bb6acd17802fe4c3c2f11d40a1777674c96bd6eff1ceeea6a03405c3d274f8ec6d678ae8265b8303d2ff92c1d25532cb2a387788fa36cdadeed5e833d3b92db4

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
70KB

MD5
b51cac062f428fafa2b9f1d291d0cde1

SHA1
239c2efed83ee4100ff53f89ab2c194bd86197c0

SHA256
ef32d6850dc3b0f811825192a68c25eebc7047d959ef887d871bac02fd53b084

SHA512
9e6ea0d577a157811645c7a30f6f989048e499b6271f011a6f9e3b367326062c88797916d61c13664ec8a2adeda0948a6ac7963e88ca1431b8194eaf4eaa4af1

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
70KB

MD5
e97510f0092d8866ccf37ab6f7a3b31b

SHA1
6e2bbda1a2def4c2aae2e6451fdd1e16b3077912

SHA256
e1a15caefcdd11a7ed6c5e47da79219ea9e7b65c2b36900df768cef0f568e736

SHA512
46dc531e7414ee81a655e67f06980e5ee00ed7955e2e1928a53a96da1406d672c828159df9d743a6ab9aefc16a1d32b94ef5677eb5d329481523b3f9a16de5ea

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
70KB

MD5
d140065a4d207356bc682ee8ef442190

SHA1
3452398795ce40cf37cb4d52d0ca7b5134c4a374

SHA256
b9c7d795efdf42dceb7da8461335a416569ded7d8116013f1567045bc489f6f8

SHA512
6cf9b44b9f9737a438cc36c5404be21c84e1798f9c4f99a763c7de7efb6e0b401865017b445a0eb1bde8a7a3fccb25e2833863bf2980b62a90e2710294ba3abb

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
70KB

MD5
c4a0010bb48dacb5748dd2b0edc4d13d

SHA1
0d0acb6e657b86fc70433b79274d29f8467351d8

SHA256
24c35b27dd84d7cb0d9245511150641abf016f579a454102d8debcb107e6ea99

SHA512
0318cca741603dd64db4783091ddf99529af76c6b2ca92feb338f322e35c620363a3f41ce3e2c9a3defa819a91683242933e64581a2fee1d2fb810b6a1f6f586

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
70KB

MD5
8681063532cf940fce9febb4996b2ffd

SHA1
7bc879eba50f2527eea1bd4a1369897c97d51b3b

SHA256
64c31e466d3098e6efbeefa89d5c82e64d57e7d557afce22b31988c8ae2b60f2

SHA512
e1983e94c7c439d7c9614d245c20e511277b4ad054ebd31ab3383ac7070fc6f8943497738fa61dcc9d2093eefbc7f7e20f540afd2d5d56e8a01e1a0670426525

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
70KB

MD5
0c82d35968afdc332efe374b4b016eae

SHA1
3c66e2cedc4053ae612d0ad8c6e1c98b86941198

SHA256
385244d30edfcb3c62cad030c7624a9d1f20202ac25cd506bc4e6d9ca28a7aab

SHA512
805c97ddf2fa71e013800731d6bec6905a6cbd28e5bb16a9b21e89458a6c7fb4e590da7a794c9bc13fd0912445446257d390a5060b65a3dd7b4819a72bffa994

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
70KB

MD5
faee80983a5cc611a17fc18cf0352a02

SHA1
d422e2670fb1715d058d491667982ffefee8c44c

SHA256
2eede6ebe6c91ec5a48551ee5180777d3711b3239433a581374d63e2da7e22be

SHA512
cbc029920d4b39222052d9bfb59934de372fa90d3e659158445709d00ffc377327588622042516358ca755a3d8ec66e6917f0cb986451c63edea6bec57ce8ec8

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
70KB

MD5
300cc993acfa3363fa96bdabb33fdb0c

SHA1
22799d6fdea5ff0e4ef5a685cbc7a69c5675d12b

SHA256
d4854950e2592acc753c4a6871f09ddef065ef54a53f3ef128ecbf4dcf5826f0

SHA512
de08f7eec425be92e587ff5b6d25c90e691a280690aea8ad7bd7552dee33f31ff4dea3c67a7a4f5a781865df622587e45ae657830452c560848cde17ed56753f

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
70KB

MD5
8f01e6bf17f6b60526247b683080fd27

SHA1
2afe59a92f658f67a1786f493453fcfdff18a308

SHA256
6e0c6693f602019247ac9f6cdae8dc09f37528a12c73ab2eae260a87d30f8fe7

SHA512
58076c4c8a1a1a20e894612a9399aee95d1aff473e58d9292b409c3c97479c4fd3fc514421af6dee79a06df1aa8eae1a93a6624050b5a828f3ada7e5e4ae0ddd

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
70KB

MD5
e8e7d2b1b6496cb970c495130e390b32

SHA1
a03ad1f3cf63f6e8a58da7ea3e8d0df690e8f63b

SHA256
21ca6ab69d95b5fbe993501090e68ac0cd964b0637fc6aa0dc347b1e7242a5a8

SHA512
f15646dd1b386757e52226ccc18765711cd5e8154fee5e4b1910fb83d41fb167a9d57239c27a7ee639a737b78ad748f1692756af2a9e88b00f4472e182f84192

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
70KB

MD5
6892b961e7ab7ac588c54d2af673528f

SHA1
769e620646395419d2a9c750e7bce1ed40b409dc

SHA256
3c7a8c5ab390f0691fc1edc5d39e05edfcb96fcee36a7f23ed4ded179835ef4e

SHA512
dcf32a6d8ecc5a2bb9fa2b9dd17703cbab02d2e08085ec48d59330e810d6a687c7ea974ce5d4774af49671d4d63407a8e8b4ac4ec84188153cde7f3b9e558440

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
70KB

MD5
2acb1bd373355b6bf1ec08ecce3c1bfb

SHA1
45f1aaaa89d578276a5ad50290b5492de6b9b2db

SHA256
29521d4bca1a3fa6d36f1ab60eeab56ae826b535954592fefbf001710a2abec2

SHA512
e7f607312ae37c5f2192e033e210b70298f9704bb2dd52a154a58315dcee55665399758a2e987030d84af83dc5853d1acabd88702a3e396d8ee60c1dfe2d5d4e

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
70KB

MD5
5deae046bd380d8805f25f49d1a2b47d

SHA1
626f6fcc9c4b777a9e66e9d2214e5049aaa08b98

SHA256
6b528aa0f20e4e3d8f6d00d3f4574a68488affda84b294ef6be1346fd9bb36e7

SHA512
54980c70f85c99c660dcf3952fc12bf1d096b3a48e756c89f9d1ffcfe307b11acbc79be40b0cb0eeb7673cc42b70b7fd3aa574a0208caffce1ca61422849cf9a

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
70KB

MD5
3d4b99de3351015a018acfd355c09385

SHA1
c207c7c47a54aa7758441f630084e3fb2905b0e2

SHA256
ab6b34fb6811e31ea463e4d9756d35ac86cc731c79799421fba149dd67a2a9dd

SHA512
9979f7a9acc9f5bc1e000048c7036cb6cf4aa43a215080f1133ede22a1c72edaed9ad11f9ebe9a4aefaaeacd98cede293e5d598c51f03009cdeeb1feedb71534

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
70KB

MD5
a11961a23363130144cd3cc5bf9c41d4

SHA1
347ceaf4c849814dd242630b63da1a05878d401b

SHA256
2f6c089f4cbf996dc9fcd4d30a2719ab94b9a88c1fed99a7b0ec4aa8f81173c0

SHA512
b85369d8eedd81df3f605a9dfc6d5bdec3349fd4d08a12de6c7747ad48e89bd1c6181d4b93ec95e5a096da98e2929eb41ae76d09937fdd3a397d73c76d63a512

Download Submit
memory/212-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/612-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4976-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5264-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5304-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5348-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5388-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5428-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5468-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5508-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5548-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5588-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5636-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5684-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5732-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5772-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5812-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5856-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5896-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5944-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5984-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6028-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6064-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6116-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads