berbew | 878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe
Size

92KB
MD5

5efe3bfbdbcab6fe3b32d61b90ac857f
SHA1

b46c50f68c1320486864513b948a008109270c24
SHA256

878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e
SHA512

c033dd1663d394126e7ce7366b4f0e3855c6343da50cfccea552cb8ecb2d489ce903bc6f6d65ba678b0e10361819a03d5f3ebe9dde4bb0a57276921f3500f5d1
SSDEEP

1536:W2v1tejabXOFKZq/XZJWvfiePQ8YahRoRlJ8hG+/y9kzoQYx+QS9zm4LO++/+1mx:He0yKkHWHLRoRlahGEIk8QYxQdLrCimx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3692	Oqfdnhfk.exe
2004	Ofcmfodb.exe
2960	Olmeci32.exe
4348	Ocgmpccl.exe
3180	Ojaelm32.exe
676	Pdfjifjo.exe
1404	Pgefeajb.exe
5004	Pnonbk32.exe
4388	Pdifoehl.exe
4796	Pggbkagp.exe
4556	Pnakhkol.exe
4712	Pqpgdfnp.exe
2968	Pcncpbmd.exe
4816	Pncgmkmj.exe
3364	Pdmpje32.exe
3260	Pgllfp32.exe
3140	Pnfdcjkg.exe
1448	Pcbmka32.exe
4236	Pfaigm32.exe
1284	Qmkadgpo.exe
4620	Qceiaa32.exe
1408	Qnjnnj32.exe
3492	Qqijje32.exe
4020	Qcgffqei.exe
900	Qgcbgo32.exe
2836	Ampkof32.exe
3272	Adgbpc32.exe
5064	Afhohlbj.exe
3792	Ambgef32.exe
4316	Aclpap32.exe
2720	Afjlnk32.exe
2120	Amddjegd.exe
1464	Aeklkchg.exe
3240	Acnlgp32.exe
4600	Afmhck32.exe
4748	Andqdh32.exe
3336	Aabmqd32.exe
2696	Acqimo32.exe
3008	Afoeiklb.exe
1216	Aminee32.exe
1648	Aepefb32.exe
2056	Agoabn32.exe
2284	Bjmnoi32.exe
1468	Bagflcje.exe
4644	Bcebhoii.exe
1544	Bfdodjhm.exe
3452	Bnkgeg32.exe
4416	Baicac32.exe
2236	Bchomn32.exe
1400	Bffkij32.exe
5028	Bjagjhnc.exe
1472	Beglgani.exe
4984	Bgehcmmm.exe
2188	Bjddphlq.exe
3912	Bmbplc32.exe
3252	Bclhhnca.exe
3108	Bfkedibe.exe
4412	Bnbmefbg.exe
4540	Bapiabak.exe
4480	Chjaol32.exe
4376	Cmgjgcgo.exe
2492	Cdabcm32.exe
4448	Cfpnph32.exe
4212	Cmiflbel.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5608	5492	WerFault.exe	174

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 3692	3332	878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe	85
PID 3332 wrote to memory of 3692	3332	878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe	85
PID 3332 wrote to memory of 3692	3332	878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe	85
PID 3692 wrote to memory of 2004	3692	Oqfdnhfk.exe	86
PID 3692 wrote to memory of 2004	3692	Oqfdnhfk.exe	86
PID 3692 wrote to memory of 2004	3692	Oqfdnhfk.exe	86
PID 2004 wrote to memory of 2960	2004	Ofcmfodb.exe	87
PID 2004 wrote to memory of 2960	2004	Ofcmfodb.exe	87
PID 2004 wrote to memory of 2960	2004	Ofcmfodb.exe	87
PID 2960 wrote to memory of 4348	2960	Olmeci32.exe	88
PID 2960 wrote to memory of 4348	2960	Olmeci32.exe	88
PID 2960 wrote to memory of 4348	2960	Olmeci32.exe	88
PID 4348 wrote to memory of 3180	4348	Ocgmpccl.exe	89
PID 4348 wrote to memory of 3180	4348	Ocgmpccl.exe	89
PID 4348 wrote to memory of 3180	4348	Ocgmpccl.exe	89
PID 3180 wrote to memory of 676	3180	Ojaelm32.exe	90
PID 3180 wrote to memory of 676	3180	Ojaelm32.exe	90
PID 3180 wrote to memory of 676	3180	Ojaelm32.exe	90
PID 676 wrote to memory of 1404	676	Pdfjifjo.exe	91
PID 676 wrote to memory of 1404	676	Pdfjifjo.exe	91
PID 676 wrote to memory of 1404	676	Pdfjifjo.exe	91
PID 1404 wrote to memory of 5004	1404	Pgefeajb.exe	92
PID 1404 wrote to memory of 5004	1404	Pgefeajb.exe	92
PID 1404 wrote to memory of 5004	1404	Pgefeajb.exe	92
PID 5004 wrote to memory of 4388	5004	Pnonbk32.exe	94
PID 5004 wrote to memory of 4388	5004	Pnonbk32.exe	94
PID 5004 wrote to memory of 4388	5004	Pnonbk32.exe	94
PID 4388 wrote to memory of 4796	4388	Pdifoehl.exe	95
PID 4388 wrote to memory of 4796	4388	Pdifoehl.exe	95
PID 4388 wrote to memory of 4796	4388	Pdifoehl.exe	95
PID 4796 wrote to memory of 4556	4796	Pggbkagp.exe	96
PID 4796 wrote to memory of 4556	4796	Pggbkagp.exe	96
PID 4796 wrote to memory of 4556	4796	Pggbkagp.exe	96
PID 4556 wrote to memory of 4712	4556	Pnakhkol.exe	97
PID 4556 wrote to memory of 4712	4556	Pnakhkol.exe	97
PID 4556 wrote to memory of 4712	4556	Pnakhkol.exe	97
PID 4712 wrote to memory of 2968	4712	Pqpgdfnp.exe	98
PID 4712 wrote to memory of 2968	4712	Pqpgdfnp.exe	98
PID 4712 wrote to memory of 2968	4712	Pqpgdfnp.exe	98
PID 2968 wrote to memory of 4816	2968	Pcncpbmd.exe	99
PID 2968 wrote to memory of 4816	2968	Pcncpbmd.exe	99
PID 2968 wrote to memory of 4816	2968	Pcncpbmd.exe	99
PID 4816 wrote to memory of 3364	4816	Pncgmkmj.exe	101
PID 4816 wrote to memory of 3364	4816	Pncgmkmj.exe	101
PID 4816 wrote to memory of 3364	4816	Pncgmkmj.exe	101
PID 3364 wrote to memory of 3260	3364	Pdmpje32.exe	102
PID 3364 wrote to memory of 3260	3364	Pdmpje32.exe	102
PID 3364 wrote to memory of 3260	3364	Pdmpje32.exe	102
PID 3260 wrote to memory of 3140	3260	Pgllfp32.exe	103
PID 3260 wrote to memory of 3140	3260	Pgllfp32.exe	103
PID 3260 wrote to memory of 3140	3260	Pgllfp32.exe	103
PID 3140 wrote to memory of 1448	3140	Pnfdcjkg.exe	104
PID 3140 wrote to memory of 1448	3140	Pnfdcjkg.exe	104
PID 3140 wrote to memory of 1448	3140	Pnfdcjkg.exe	104
PID 1448 wrote to memory of 4236	1448	Pcbmka32.exe	105
PID 1448 wrote to memory of 4236	1448	Pcbmka32.exe	105
PID 1448 wrote to memory of 4236	1448	Pcbmka32.exe	105
PID 4236 wrote to memory of 1284	4236	Pfaigm32.exe	107
PID 4236 wrote to memory of 1284	4236	Pfaigm32.exe	107
PID 4236 wrote to memory of 1284	4236	Pfaigm32.exe	107
PID 1284 wrote to memory of 4620	1284	Qmkadgpo.exe	108
PID 1284 wrote to memory of 4620	1284	Qmkadgpo.exe	108
PID 1284 wrote to memory of 4620	1284	Qmkadgpo.exe	108
PID 4620 wrote to memory of 1408	4620	Qceiaa32.exe	109

C:\Users\Admin\AppData\Local\Temp\878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe
"C:\Users\Admin\AppData\Local\Temp\878326e88fb0f26e6960c33d3f4dfd5f447686e724be903fedc3f1965ed93c3e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\Ofcmfodb.exe
    C:\Windows\system32\Ofcmfodb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\Olmeci32.exe
      C:\Windows\system32\Olmeci32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        30⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        63⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1996
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        74⤵
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        84⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 220
        89⤵
        Program crash
        
        PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5492 -ip 5492
1⤵
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
92KB

MD5
72da2b875b147b73563efe203fa14c2f

SHA1
ee5903f1c32bae14c0f801496179238ddcb50326

SHA256
2f20033588f7e87e63468f21c176f4e20a295ec07e5e0b08fb56d5aea40f36ee

SHA512
1fe976aa225e8c5d69825b03d6430b2bef7843515a9cf2037736f93af4b5e03e1aae7b0afd6febdb460604c3e7917a4ae5934c4c06c8aea2834df54fb1b3eb7e

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
92KB

MD5
77d2d67de5d17d917c1dba5bb7d75a89

SHA1
c994a120a9e7d9add16dd624a1e8c55c17f55e61

SHA256
7f11963b09af15beaee56619d4c9dd2bcb2913d7c1c5d260275db85d93ee434d

SHA512
afd5deb3ad91648c9d9b318721d3231bb12179d9904108298635099034045e10863d333365f0a68e6f1938931f16468e9ad641e30df7ba7f8e5208deef656632

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
92KB

MD5
4960c93bbd7fe00a47344de1e08b9bba

SHA1
12de1e574901bf7b203ed673685a5fe2d9806b51

SHA256
6e7b59940572f3008bb95ea20248cdf842d5c679b62c140ad6e3635ad104af99

SHA512
feaa553ec9c3bf5007ac94e6806e03fba164b1cdecad4369c0b0f1899f87d1675b258c9eaf1838513b7cd44b8b227402429c610a258472afb9357be951b7a1e9

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
92KB

MD5
92a5cafd161fd27f18c0b5052a3d5a2f

SHA1
7a19e88e4b42f08954e643471745894956f78b59

SHA256
251b256ba548feaf6fc014afad74d6dd475718f0c2e8c5b300dbeb44fe158b81

SHA512
367f9f76ccbce371068a4c245021895f81ab2576b00e56c86ebe6aa39cbe8a59e59f81694a7b89ab50aec336c0a7340ccec53c95e68dd59ac41ad1f66b426e15

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
92KB

MD5
81d3f115a5c0a6cdd8f16af2d657ad05

SHA1
2d602b1162a1445ec78b381cb82369c4cd3f4c3a

SHA256
6e1f1ce1eeffaed6fa902e32a4acc7ec6d46b11565d112c52140768d446cf055

SHA512
1eaab09a342df73c6fab23d99f4ed1589b267366f624eb83bcc5b3db42595c16daaa58e764f68c6c946aca52e961258d301b17fa0c06a842869bcae6eda893a4

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
92KB

MD5
f0ca560e580c07b4726b3fe95c664a0a

SHA1
fb330a931104b5894f05e07a96bd9470328a50a6

SHA256
b35a6f727752070dfb7fcbe73b631be7c22fbe2593aae63f52e12e4ecae9e630

SHA512
f953a9727b86ce6b529db1ecf39c693996ef317c1f3ee6761493352880c7157213c315ac3d5b3de15b6620f7d53b6be1ef7539bd4622824b0bf0941fc79a85b8

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
92KB

MD5
bda00e63e2808dd680e6b71526632fb5

SHA1
5189f890b8bdda9f3e0b7eb48a2f35b51463987b

SHA256
4f6e6a8adffd983b08c805c82aa7fa4de1c2877d58639049f8a1d3b546ba4e94

SHA512
1c6281d2a8f863ff69e6d0bb92fe524db675639f8e8ab4231b79f235081239a469010a411827068ef78aaf4e14305da3c80ec3c29f2109f3242924d9d5d9c5ad

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
92KB

MD5
10b402a3ca2b1a4cd73d5aed588f7cbd

SHA1
4fbcf80bd1f1476b83abd7f699b60291f95d23d2

SHA256
3c9630c61167fdbaabcebb60d5dccd178c9bae91cfb6221a56037b7f5feae2cd

SHA512
0f2e07abfd5f9bc056fca1b0c3beb1ff65acc4ce287052332955188e6df7c456dc85fb912c249b95b6d1061b89e3bc78380e774270159d341605d4ae044acf63

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
92KB

MD5
6429bed1e3ec4fab1b08c506b5680b62

SHA1
06b272de2e003ae3a8c2134a65ffbe16ee3c8b2c

SHA256
a88cd3db6ba492334db7595741711e2ba6d15c65aef53ca163949da540b28288

SHA512
3677d4ccfc03ab1d9296e1ea6588b193bdb8579118b932a3be5d8d789b8a5907de79f38cf99b7d96df3b16bae1bbd0e66e416ee828944a766c6c8163859c27a4

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
92KB

MD5
adca157f65fa2ec9b7490e1a704da414

SHA1
f12ccf75c6b9237c8d7693f374a233475a355837

SHA256
330df8fc6d65c804141027d01a9614ad4c4aa7539fd1b77219b493548f06ae8d

SHA512
aa3be4e53577b230c708f159696fc5ce54f7308619adc768ce66ca3c2cbcf83be6a814506dcdc0d3243d7b93f66f1555cb326b4c63732a3bb558c327b611c0ca

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
92KB

MD5
073ff3a11ac3efa44ef8627d30abe9ce

SHA1
f0b666e62a18bfa82a27a2d5767ae29767e24445

SHA256
b533abfa287af725bccb19773eb6bb0d7b5b97325d768596aec11d325ac64a83

SHA512
ecc30ba051b07e357ad5f1fdf2432bbccb84713f38f9e94439a75b31b65fbff383c141b655093bd2636fa3c64d9ba206344ef5ac071c3ec1421d1edbe5e2fb18

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
92KB

MD5
69da5ab40a2776d4abab0ec7cd1b364d

SHA1
ec1ccc8f1ea21e9c032b675067bdbd56369af5fa

SHA256
4bde81ed248e1e091efda0606363c33272129ce2cd0ca1ece03b6d60d5e31a9f

SHA512
9c42a609b5d10740b5ad92d6dc57cc03b4c60fcf0bb11f7a7c466a56129623985cada0195a1390579d5c92ef93e3b050e37c1e5c3ac5468f711d7841090b3639

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
92KB

MD5
5d2409123add02339d8657909e1690d5

SHA1
479eb542b26c6d0d14fc52c4e20474c0e0fd6d75

SHA256
a1bb013ae9f0d25fa1879d6750d9ccdee2188b0d7124fcc5adfc47594fd68f2a

SHA512
5acb40d0b4b4336553e9750972be3ae54aa3718e2b442c8b5c3614e6edddd74a55ee3eafd63ec0517843f32b2dfc86857118fb47257e863425bd1ccd97e53da2

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
92KB

MD5
863415dbd4a437f76bbe25e69abfe5cf

SHA1
fbc76989592b960a3b6c9dd85744375169356faa

SHA256
8c443de7f2fd9ba339ab353a06c6b4a2d660ffea62fefef0e868be14cf8ba7a7

SHA512
07ab13e8f3042ef1f46ea8b0f57748a2e93c45f07c279bd15b1ce2ccc1f9791e7f5c3732e04ef049b8fbc00c7d87693c5543cc1a29c0d7e55259f0b83f127034

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
92KB

MD5
8012925cd27f6617e232af6f88dcd5b2

SHA1
af265e6f0adb4549006cae493896b34f49efce0e

SHA256
21548fa64f9c56f306a1067e2475d44be0f922d177b36f7cab09319a364d765d

SHA512
ded46b4798d5f2fc2cae07bdc710d8007c8f1cab6189386ca99647999cf21ff02af6c051448dd20fd29c82fce54a607a2bb800e0bc71a3b71c4e77079e173026

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
92KB

MD5
6736b819c6547ba4a7fd5c48077fcbd8

SHA1
ce770acdbd5b4e04fef48a684e592264af76f0a6

SHA256
d7033a5663036690788b11b531fbd10dd149ca8d6ba00d7e055ae10ae894cd88

SHA512
0f00419ec79de77adab509b37185c785b55895f08404fc19f3f305b26c7877c8327f6da50d01c94c03becb804fe066bb8f85f1ea1a678f9a027354cc90b851ec

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
92KB

MD5
62e8b9746b66f0f29a13afa6ea8f9526

SHA1
f55aa598eb2719c53086be005b47a7d90ce6080d

SHA256
4bbf3a7721446f3c55862883a216ac0514c46a503ec2ec2c88dfd47ddf2d3f25

SHA512
9ac90bf7041370f3e52194b1378b53fc80fa73e9fb67a52dd4d8cfd3d74bddb7ca98bc6a887c2929a7ec76fbf651c629f11377e2654b9b6e74bbbf327693a7e2

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
92KB

MD5
6d02b6e5b817c47b5a62d438c48389d5

SHA1
4ee0beb6ae167be33193f9bc44caa5eec27db288

SHA256
69f97d36e5c8d0fb3e4129d6efc615837df132316c113beea6cc5e355c4f8796

SHA512
11e2600fc2554928918816e00d590accf7a03d409529503edace6d86633502fc7adb4a037c40dc965d666e8760303b0047408665ae7cdcc18ea1a48694b0a061

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
92KB

MD5
a7fdc951f1d238caa0510d74df0d4a6e

SHA1
d56fc6d0c1befc355ca684f175a65ec0985ddee4

SHA256
2f0feef7e86b93fbf6976f011028d562f6e21d5e270f7654ff8281b0abe8f202

SHA512
ee572195947613cdd6ef1cbbf997d6baa1201c669722d06ec04e467392f1ada632e3dcbb75e4fa68b3395405c9e498c3b71e9f2b00e167f857dc7adb9b184a44

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
92KB

MD5
49077b5ccb1415363a332a11c9073389

SHA1
82b463d34fb7db47d63b4e5da3fe87fe3f66ca06

SHA256
b5cbf55e0f761221f5c177115413bcc5d354cd8dfba3842d44a1209605be4973

SHA512
45c222dbb84a49a82a81203913e1b61166a058c766d5b859b546ef5f89579fc68d6f0522407c236471e44b8a848a33c9266b34edc26599b9d773c0a8a5b96070

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
92KB

MD5
5f3801623e6967bb6ba264c44809302a

SHA1
f28fc30c0e174a7a11011eb39df30a85c16de126

SHA256
164d27a45e5de0eee037c5a6efe5b3ad6b76440a34432c6e089fdbfb5e246a8e

SHA512
e0ead38b68c41ab33c020ba53fcafabb05840871221cf52243e327a3af041cddd7638d4adf3dfbaa36b160cf1905471a007d9f62d94fcc5950d7f0d96081a964

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
92KB

MD5
62d3f56f698591bfaeb91d3c5a3d58f3

SHA1
794390f501cfdab1365ac76807be3dde8254f623

SHA256
2ec1a7a48e5373d5409c9c3838d271c399be77f12ce898cb8be5198d4310304b

SHA512
78f3ce8116f2d6264f8b4aff16c52f52f9f9454c1bd2609b7d1ccd1dde2102e8ca93293fb3af0e2663d7f57f2a55beea08309245c962a4271b702712bec054a9

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
92KB

MD5
f403d6a29e48a6df2d2d0b130704f335

SHA1
50c567e0b57045fa87ec55b8f3b4f3dbd2bb7829

SHA256
aafa5ec4b82e009696e680d8ea9174e3b1da84a56ea1cf4a883139f5cafd517d

SHA512
6f268b4ce49346096c8682a6c3c45ce9861173326820f78e557e0f507a65e9d7d9e933da2876055b81a97fe22687147fa163cfec37b8ac2b233b6d06d4595fde

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
92KB

MD5
2170031ab01e9c140aaa9f8f3011dccf

SHA1
6f84941920418e4313d7a0a1a65f7595cd29fc95

SHA256
875c8a9759c52e1456c9fd2b1b55484b9f8c474e4828e71cba72077aeca6876c

SHA512
181a947eae5abafdb8df0443ccb374e8d60500097788a14759cf38d782e6187094a08dc79938b7b1e0c61bffbadc224a6a1ea626dacdd9a50b426052511b6958

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
92KB

MD5
bdb945d8fe2d0db38722931b2a36640a

SHA1
ef1521801b4e640f6e083589fc0e45a871ff21a6

SHA256
d4f1f9928f4fa8357736c939c71846f97c541f6b18ea7d9fc81ffafa6c7d0ffd

SHA512
219163cff7174771019dafae0adcbb32723b56a705489ad8b0d0c2538acffafca0f4ee77fa57ad9a5d9eca05563273c0bfc0419664fbf525437b05ebbf421060

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
92KB

MD5
529f381dbaf692662b51edd15d6d4a35

SHA1
7ce9f240da13ad03d413403499a2522147055c6b

SHA256
ff2b61bacaa543d4500c7d1d0c0af4fcafa51554c64f333049c89de3d0f0d7f7

SHA512
ad91e6db4304c8fed99de395842d59b02b259d988fd8ed1d580f67dcbab926f7dbcd639528f8d0ea6eb6b911aebfdd079f821057d705db99ed04eacb392e47d8

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
92KB

MD5
2c78b45bf2401a40c36a95b33eacdb8b

SHA1
0ac6d4b83a0faaf29a604e05232baa8096963b6e

SHA256
b2274fe835c9c87903806fbb9372161a2c3b80f974ab8ec596ebf5878112fdf9

SHA512
e8a24a98d753789e1ed9f47fea8c0d6e7b3ebca1b1ac238d561ef03a165d9d97c056edb5c0fd527565e05ed82b481894c4d7f3b4a6efdae31534f85cbf3014be

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
92KB

MD5
5d2c965ad85372b7a9105b5d48b718e9

SHA1
3ab0d1478f1e9775b78bd69112809d840586a09f

SHA256
1720aaa1f3dd7b709f497251a8534732a1a387399fbabf14b63bb391b96b9dd1

SHA512
bfbbf496cae791cb34b30969bce472e995f0901c79aeb3ca5f11606b270a83282250cae88ae56a1ae401679e75935506e98e24e95eb56df8cf2e1b58861cba69

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
92KB

MD5
200aa75e2513a78fe98082aad7869702

SHA1
bf6ef9d3ca037bcf0a445402a49afff9679b7c3e

SHA256
3e848406c2f31b3cb5b4c99e3128dd2576e8c4793815894c1f6ecc1969705862

SHA512
0298afc6869b8f23fad7485006fb3598ea6da156d3b6f7aabea455ca86ac92e597f7d66cb1980b9f83578a964bc46a469639a26691aa3fd2ffff720ac559a486

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
92KB

MD5
1f25819b69353dfa88d1f5f5b3753f63

SHA1
80b578be9aa1956e7dd4ad3e6600d19882b27668

SHA256
99d500c0b77dad63ddfd315c5da787019c8f6c4fd41a35d694ad75d267c249e2

SHA512
482400f1d179cad664fa673ac07a71c0218fba933bcc50645ac64b8412aa6c25efdb390d1ab00f14fd1332fe57461bdba8ed0ea7eb7c9f8fc4c6e862a36af409

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
92KB

MD5
d0b7d177758dc8fee9ff106aac0a94dd

SHA1
dbd5a443eec4575579c5dd2dfba049bf466cba10

SHA256
b023b17c4b7b23ad1f983aeb1fa0c0243f3185188a52165d2e8dc1e131ae32db

SHA512
0186155e2d4d330b5b1adbc6f4f3b7a71bad25c52a3a714c2ec6c35b700fc50a81338ef2ad27317e70aa6d036fa910feb048096f689a173c7b705ed331e1c947

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
92KB

MD5
29357e52d9e51d2ff968480da974697e

SHA1
17a542015e98119ee78682d10ee3502d9881d67e

SHA256
9287799a3a5bc5f1f2b8fa5dbbaa3670107c11c2a4c35757b62ab4d21257ad36

SHA512
408a039c4623fd10c6cff4814ea06626dfb4ce6e31fad8269031c543fc9b12cfec596ce801bdad6e143143ea7fdb234f2679f133bc95c6973e233f537b8be601

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
92KB

MD5
abec6b2b2c7b1be8702350ddf426544e

SHA1
755736ba04a3ba1e8156ef75986d050031895010

SHA256
7d8cd1591253ccd65dfc46bef9c7760ba6b6db133155a8731b02bc37c495a616

SHA512
36b662a59aae6a6a6f3b0360af4b999f5d2825d77671efe2f11eeda8385a504a0da7322ae04b63f2abf58819830186b17431b406890abf6be5c004fa1352e579

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
92KB

MD5
a98dd0004369e4c01a199580e9cba420

SHA1
5c23f55ca37a74064480182450a56f734aa29471

SHA256
c32321b6804e22144d0f634edc7c56d327d4cb41da33e62a84df34ebdf301d69

SHA512
a7845554ad0b63e54b89f6576527f7980e35a4794ae6448fbad2734b63a79b90289f3584d95e7113952585625710bef4a5fdf9954e1f8fd20bcfdec340b3354d

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
92KB

MD5
1bd8dd835648e41233eeadc7b6b8cdea

SHA1
d784406f3af4cc4e7f0a5fbff3aa4e47d5555df6

SHA256
84fe3cf8b383131a40b364711159c5ac68acdef488acc911c33957865c1ab39c

SHA512
2f81b393877c75af2252f012bb7f6792245b1eb245d823558f8d8e07083f49e179633c1486f3554be4e8684bfcec5036064390c7a6aed675f30df9640c57037f

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
92KB

MD5
5ff553132cc0655826da03e84b4b8c8a

SHA1
890aba6f983d72ac1f89619c96a368ae7346f776

SHA256
5c901df5cd60bbee71946e8f2bee21be3557102eeca19f006f09dcddadf3d5db

SHA512
368bb7831c2f7d67e08d21190c2232838e9a80ea5256b87676c5e3725abbb697690a9165357fa9d33b8a7213d2ca46dd21d510e2c9b7626b40c8c66b062de785

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
92KB

MD5
90e6297778bb578c613c8949249eb09b

SHA1
baa463ccf5e5dbeb8f679a8071c82ac82a8f8163

SHA256
fe8ef6e8e4cd81f6b29f2be8360e1212da3a97dbc689d58de685bdbdf59af63c

SHA512
2b473f9cc2ce73bf8dc88ad51af2da1fa8aaa76471e2c8652c6a40d4465ae7b3a37e95349e7f603c8fc7ef6346e30a96e5281052705dd91a1592333231bc3099

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
92KB

MD5
ae6b062c5b73b927195393b19e95c831

SHA1
791f35e3aa22cd1f31c3e869c88c3ea4945457f4

SHA256
d2dc6b01d49677f571630d7e637691d9572ce28e3318c66bf774c113f86ed589

SHA512
f9b3962df0c5a611ec1a8cf1f9ec83430942fe1e016def3b7580a92cdbe46ea733a6d389028e1de001281689a5770027977a7560d4070a5aee989ad2a6479727

Download Submit
memory/212-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/344-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/900-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1284-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2056-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3108-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3332-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3332-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3332-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3364-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3792-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4236-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4620-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4636-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5136-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5180-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5220-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5264-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5308-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5360-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5404-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5448-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads