berbew | 6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e

Analysis

max time kernel
142s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
Size

76KB
MD5

d9215ba2cbb8320215ccaf3d3297d0a8
SHA1

90cf34a8843f5efb02a59308be13781254868e08
SHA256

6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e
SHA512

4e8036e6775d977419c5fdc769ae3545b46f313b2ac93ed54bb77366a0a9f0f5d839822d92b618a2e3202572fa32e290ce23946963f33dce5b790d75fb55735a
SSDEEP

1536:LJI8r+ostKqIN7pIqyFHPAgbGD+HioQV+/eCeyvCQ:lIJULN8FHPH0+Hrk+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apodoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbcplpe.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2340	Pdhkcb32.exe
1776	Pjbcplpe.exe
4468	Pmpolgoi.exe
3088	Ppolhcnm.exe
4516	Phfcipoo.exe
4292	Pfiddm32.exe
1092	Panhbfep.exe
5048	Qhhpop32.exe
4444	Qjfmkk32.exe
4796	Qpcecb32.exe
2692	Qdoacabq.exe
64	Qmgelf32.exe
4168	Qpeahb32.exe
2916	Aogbfi32.exe
4160	Aaenbd32.exe
3216	Afbgkl32.exe
1464	Apjkcadp.exe
4120	Ahaceo32.exe
3008	Aokkahlo.exe
4676	Apmhiq32.exe
624	Ahdpjn32.exe
3804	Akblfj32.exe
2564	Aonhghjl.exe
3620	Apodoq32.exe
1732	Adkqoohc.exe
1080	Ahfmpnql.exe
1660	Akdilipp.exe
1632	Aopemh32.exe
3160	Amcehdod.exe
1604	Apaadpng.exe
1652	Bdmmeo32.exe
1924	Bhhiemoj.exe
4568	Bgkiaj32.exe
1728	Bkgeainn.exe
5028	Bmeandma.exe
3756	Baannc32.exe
1744	Bpdnjple.exe
2264	Bdojjo32.exe
4636	Bgnffj32.exe
4816	Bkibgh32.exe
3472	Boenhgdd.exe
1720	Bmhocd32.exe
1580	Bacjdbch.exe
3640	Bpfkpp32.exe
2016	Bdagpnbk.exe
1208	Bgpcliao.exe
2396	Bklomh32.exe
224	Bogkmgba.exe
4052	Bmjkic32.exe
4304	Baegibae.exe
3868	Bddcenpi.exe
2868	Bhpofl32.exe
3796	Bgbpaipl.exe
1408	Boihcf32.exe
2488	Bnlhncgi.exe
3040	Bahdob32.exe
988	Bpkdjofm.exe
2424	Bdfpkm32.exe
1920	Bgelgi32.exe
4164	Bkphhgfc.exe
2840	Boldhf32.exe
2948	Bnoddcef.exe
632	Cpmapodj.exe
4380	Cdimqm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Akblfj32.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bahdob32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Qhhpop32.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Lelgfl32.dll	Cponen32.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bmjkic32.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Coegoe32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Apjkcadp.exe
File opened for modification	C:\Windows\SysWOW64\Ahdpjn32.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Bdagpnbk.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Boldhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Pdhkcb32.exe	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
File created	C:\Windows\SysWOW64\Bhhiemoj.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Hlohlk32.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Akdilipp.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Ccoecbmi.dll	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Oingap32.dll	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Bdmmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Boihcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	2428	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkibgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhkcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbidcgp.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2340	1556	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe	84
PID 1556 wrote to memory of 2340	1556	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe	84
PID 1556 wrote to memory of 2340	1556	6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe	84
PID 2340 wrote to memory of 1776	2340	Pdhkcb32.exe	85
PID 2340 wrote to memory of 1776	2340	Pdhkcb32.exe	85
PID 2340 wrote to memory of 1776	2340	Pdhkcb32.exe	85
PID 1776 wrote to memory of 4468	1776	Pjbcplpe.exe	86
PID 1776 wrote to memory of 4468	1776	Pjbcplpe.exe	86
PID 1776 wrote to memory of 4468	1776	Pjbcplpe.exe	86
PID 4468 wrote to memory of 3088	4468	Pmpolgoi.exe	87
PID 4468 wrote to memory of 3088	4468	Pmpolgoi.exe	87
PID 4468 wrote to memory of 3088	4468	Pmpolgoi.exe	87
PID 3088 wrote to memory of 4516	3088	Ppolhcnm.exe	88
PID 3088 wrote to memory of 4516	3088	Ppolhcnm.exe	88
PID 3088 wrote to memory of 4516	3088	Ppolhcnm.exe	88
PID 4516 wrote to memory of 4292	4516	Phfcipoo.exe	89
PID 4516 wrote to memory of 4292	4516	Phfcipoo.exe	89
PID 4516 wrote to memory of 4292	4516	Phfcipoo.exe	89
PID 4292 wrote to memory of 1092	4292	Pfiddm32.exe	90
PID 4292 wrote to memory of 1092	4292	Pfiddm32.exe	90
PID 4292 wrote to memory of 1092	4292	Pfiddm32.exe	90
PID 1092 wrote to memory of 5048	1092	Panhbfep.exe	91
PID 1092 wrote to memory of 5048	1092	Panhbfep.exe	91
PID 1092 wrote to memory of 5048	1092	Panhbfep.exe	91
PID 5048 wrote to memory of 4444	5048	Qhhpop32.exe	92
PID 5048 wrote to memory of 4444	5048	Qhhpop32.exe	92
PID 5048 wrote to memory of 4444	5048	Qhhpop32.exe	92
PID 4444 wrote to memory of 4796	4444	Qjfmkk32.exe	93
PID 4444 wrote to memory of 4796	4444	Qjfmkk32.exe	93
PID 4444 wrote to memory of 4796	4444	Qjfmkk32.exe	93
PID 4796 wrote to memory of 2692	4796	Qpcecb32.exe	95
PID 4796 wrote to memory of 2692	4796	Qpcecb32.exe	95
PID 4796 wrote to memory of 2692	4796	Qpcecb32.exe	95
PID 2692 wrote to memory of 64	2692	Qdoacabq.exe	96
PID 2692 wrote to memory of 64	2692	Qdoacabq.exe	96
PID 2692 wrote to memory of 64	2692	Qdoacabq.exe	96
PID 64 wrote to memory of 4168	64	Qmgelf32.exe	97
PID 64 wrote to memory of 4168	64	Qmgelf32.exe	97
PID 64 wrote to memory of 4168	64	Qmgelf32.exe	97
PID 4168 wrote to memory of 2916	4168	Qpeahb32.exe	98
PID 4168 wrote to memory of 2916	4168	Qpeahb32.exe	98
PID 4168 wrote to memory of 2916	4168	Qpeahb32.exe	98
PID 2916 wrote to memory of 4160	2916	Aogbfi32.exe	99
PID 2916 wrote to memory of 4160	2916	Aogbfi32.exe	99
PID 2916 wrote to memory of 4160	2916	Aogbfi32.exe	99
PID 4160 wrote to memory of 3216	4160	Aaenbd32.exe	100
PID 4160 wrote to memory of 3216	4160	Aaenbd32.exe	100
PID 4160 wrote to memory of 3216	4160	Aaenbd32.exe	100
PID 3216 wrote to memory of 1464	3216	Afbgkl32.exe	101
PID 3216 wrote to memory of 1464	3216	Afbgkl32.exe	101
PID 3216 wrote to memory of 1464	3216	Afbgkl32.exe	101
PID 1464 wrote to memory of 4120	1464	Apjkcadp.exe	102
PID 1464 wrote to memory of 4120	1464	Apjkcadp.exe	102
PID 1464 wrote to memory of 4120	1464	Apjkcadp.exe	102
PID 4120 wrote to memory of 3008	4120	Ahaceo32.exe	104
PID 4120 wrote to memory of 3008	4120	Ahaceo32.exe	104
PID 4120 wrote to memory of 3008	4120	Ahaceo32.exe	104
PID 3008 wrote to memory of 4676	3008	Aokkahlo.exe	105
PID 3008 wrote to memory of 4676	3008	Aokkahlo.exe	105
PID 3008 wrote to memory of 4676	3008	Aokkahlo.exe	105
PID 4676 wrote to memory of 624	4676	Apmhiq32.exe	106
PID 4676 wrote to memory of 624	4676	Apmhiq32.exe	106
PID 4676 wrote to memory of 624	4676	Apmhiq32.exe	106
PID 624 wrote to memory of 3804	624	Ahdpjn32.exe	107

C:\Users\Admin\AppData\Local\Temp\6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe
"C:\Users\Admin\AppData\Local\Temp\6e1027fee6aa7b882c98ab00d759eaba7e9824d83d010d7a69c7f6116ccd783e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\Pdhkcb32.exe
  C:\Windows\system32\Pdhkcb32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Pjbcplpe.exe
    C:\Windows\system32\Pjbcplpe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\Pmpolgoi.exe
      C:\Windows\system32\Pmpolgoi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        74⤵
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2888
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        95⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 408
        96⤵
        Program crash
        
        PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2428 -ip 2428
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
76KB

MD5
acc611cbedbfae1c08acbe723286f6a2

SHA1
b586bfc303c23c4401c8de0727e492503ddf6d11

SHA256
6edc0a9f526d7eb65da48f0af74c4f07650907f862c47dad3fe5c6ce60e6e206

SHA512
116ef90b5d263efa1a06b338b90877625dad0b58aa6138863a587f7b0a681dbf655bd36e5e647681c30ba823000b636635b8def84b65259476aadd2a31740599

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
76KB

MD5
53cd5c02de3cec511e111220f8b4c18b

SHA1
e7a8a6bf6c1bebbaa73e6f9b6a9cbec9c27037b4

SHA256
5fd386020a6d6db7bfd457b3c4cc51b9eb8c879ad1335b6e5edc5c74d5a7aaeb

SHA512
4cca5442db1ea13b1ca0262b5d7d42cf6b2d53c29fefdb5a8cdb08a9f030bfe9b44f23856a9fec5968e39930a19dad935f749c867d0f54a5b0f720712ef47667

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
76KB

MD5
e7214c462df87f3a8f746e98764d89c7

SHA1
2b6bcfe94be5a72837059f508129ae3b2b369821

SHA256
aefa1f719d2496d50a0fded19d9cebfd86b3af6a02a08493ec428d918c1fbebd

SHA512
441ac3d48b6cd81008ceebf594d4cb16098bdacba112bfb106693aa83027eec371d9829cb5b5ffa601ae2d735bccbc8bd959363e3ec8336387ba081d2b4aaeda

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
76KB

MD5
318c9affe4ca1b3626e383fcdf6da975

SHA1
5d1732ba095b3ecb086ad83a0e889cbe1b44ef30

SHA256
c170b6b38d4f13e42ebcba8daa3afd34b9d1524fab700c978b9e5e3517d32b0a

SHA512
1dc7f8a129690d4db9d84601f083ce7d156a400c328cc4d30a7c30f00e35ccc8cec0fba0c7734d69293992b73236a6ac3a97c34655c213d555d4aec0e2e4fb38

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
76KB

MD5
1e515ecdd5047581301d2518d191a06e

SHA1
7d9e2101052054df8602a826c91d55812201b212

SHA256
3c360d1b3ed97983acb65329f824efb26fd7e5f0df9dc4b887f9acd70ca4a874

SHA512
90173ad3b5a70c78ee0116dfb32faba66d304f8ffe45b66e1ead4b26ed4f898a81252052917d6a656ca9daa5a5a154145096c9363fcdf56ee1285f4a7fc0044a

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
76KB

MD5
da39369f9017360ad5be36c7bb0afaa3

SHA1
2e47251d6caf4ba76bfed6e52fff10c58946554c

SHA256
634cd12c513b7d1382935c2396464b0441a73fb7dc5a4a683327ca0eddc47373

SHA512
7aa926b248b88aa02fd040e72ebca7da68f7ab8a220b2ba8709d790443afe7bb8a42003c655b0be3198c1d2e3054415f85bebf44ebfb53719405ba0245698433

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
76KB

MD5
f3779bc4068a27411d4fdc24b81122e3

SHA1
dd69cf128f6500df397b9e6c764536a24d416341

SHA256
ee2d5a0142362f5e81b51ff763d50e0936dc410c9db0c13285cbc57a30478c3d

SHA512
80995a37063e07e6b9d2deb4945c97ec180856e1d1d2233ce3ca607b7ba2fc2683758bc384c4680015b7e76f3406788394c2c0d0131d10907e6573f7cf4dea28

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
76KB

MD5
75f03a26eb8b7761557243ce38e83a48

SHA1
0df2fb4f2e35d3f5ad68849ce2f5cd53b5c670e6

SHA256
b57e37a8643298600c8203502e71ade3fe3394119edbc84822508ad5c27a961e

SHA512
aa44a84e60d67928f924bbb6d62ec0ca30a415efe631ddea52daa70a09e78e1873da9c6691236e33bc9699b88c3e759fda66ffb30fbaba661b4a0a1a4d7c95f9

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
76KB

MD5
738beeb22184d5b1be9fe6e83ec3611e

SHA1
b2c9570efb013c29ebf32873e07ffe7b7fbc2e72

SHA256
bf740599fe7d8528319c2184ec7fde2a730e2217caab047a37444fa90902b13c

SHA512
588a85102514554c1fa200b51ec3c8cc4934c6d056a969301a310df884239ba90fea1869953f7172640ba66f3e373a870184eb9e0179737b83d51ac51595e682

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
76KB

MD5
43d699ee52d5fe48216bc5bfbd73e3c1

SHA1
a70594a46de04ddecfb27ccc96817005a79ea93d

SHA256
ba5b6d63b866f01d7019d41bbd6da4fd2d004e288897390a1e395812d1129647

SHA512
9de0539445e174e4a1d7231d43baf614a39ac427461d8053f37f5e53b56d4a63f7bbf1c04a6cd15750377eeb258251bb021b55de54cf04db4b4c6774587b4752

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
76KB

MD5
b6d45f052c6bfd56e887913c02817d3c

SHA1
68db36e36ac2731346498fc3a8ab893e2fadad53

SHA256
b430feda3f86e41e1f9e5e1cd2ebe4d824d86c151e0e7db7ab22106b5e21c689

SHA512
2f5784eb67b7ea6bcfed01603540ec66bc566bd7372724e5265e5037f5009eaabadd2068a3f2e889467ab1e52ef15dfeb7b733cd87431d0a41ec0fa66a52002e

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
76KB

MD5
511870574d6644999800cd1ac1ffc6e3

SHA1
dcc2b47c5c3ed40a59ff385849f19e2732cd058d

SHA256
a3c7d3c4e25c5fb443e52544929c92dd51bfa121cd9f536030f1f9463ba04568

SHA512
9a2fbca22c79b015ae01d03a102bd47b1f3f3324efe572b4a17738a7e2ed510dd93f75cb6211d0d593bcbb37babd98c390854b9f138f69f6753a1787c31be0d5

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
76KB

MD5
af862ce72975791942473fd35eda0a41

SHA1
aa057e9b327ea9845aeb7246f78cee0f6e59eccb

SHA256
aa400932b5da2b1e46181f022529ee7ead32672a49b2d9cf93385f6cbc96fc62

SHA512
6731df22c61bccd7e9af025ea461bb7ca6443f8a7cab7a911d41d507acef50b59a3de888611ec2c5a5d8499c32f5eda67f43dbe2cb5c14636e8e76a99d9e1d99

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
76KB

MD5
053714fffcdba76daa73da98d51f2ca5

SHA1
4eabb53edd47484242c26ba64a1310813135ef66

SHA256
1e0ed2ceb21b6d59f0664a3510cf9ddac295bcb456e46853586d88346c2b87c1

SHA512
c999e88084d9d38b09783da7c8820c7ae2c07a12e569348c20ed1080519e4dc898865cc3b48df417db644541449f08c399073753c5bea5b4d22e07d440ea74bc

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
76KB

MD5
c3f18224554d6367ec49c051df40134c

SHA1
d7fbe554c9597e7e62779e6e4f817b4d06782c41

SHA256
a44cc1e58fc2c0572b58cc1de573847931c74ef1bfd4a3164615e3beabf5d758

SHA512
4f750c9bb87fda4b93d1067da366e828df85f3a59348482b088c7d8bc351112d8b0ef658abc7500a16428aa46bd5f14c5485a598c479525a6beef4b589ddffac

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
76KB

MD5
43ce2da35f0c2802e3caa605a28ea4f5

SHA1
2f9a7bb9a8f1cf9082962496da4296c42b7e4128

SHA256
b84b91e6a4bf7cf817a68dc5ca4fa91885d3975795099cf21f2a104e4e3579f6

SHA512
5dca6be86be6cd87dfed548f4a9773aab37b3010cc43131db7b37cae8841d3895ed46caec614c72f7dac760e150eec3b9e4aec9a4b1c1dbb9de9ab795e4a2ffa

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
76KB

MD5
6074e1017db530a4032b9977bacff29a

SHA1
599192c7bcd0a889bedeaf4e0d42873d9b52767f

SHA256
877bb4c33ce414231a5e098bb51b4d6e7638aaeaeb30d6016b4d79d2be0320c5

SHA512
dbd0b5ecbdfdfe2e2fcf791935974c5916953392aa3fcc4eeddc49e79ae4c5b8717e84377e8bb55117a970a3302102b5ccb9f9ab2fba67f45587c864d857149e

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
76KB

MD5
a55b75f25def1c9ce6aa3f26eba0c03f

SHA1
cc6511adaf880d969b260eae88b2a00adc919967

SHA256
429d83f397762ee22cdbf4e82d52e516d5ecc94f6a2843ee0aa73261d02cf63d

SHA512
8d0f511e0c1b5e42e7530ec01db27c09710d4062872494ac334897d9b2aada59e93035d6c41057fe0d915bfe449d8934ad30aed929e8b7cc43d210c4791d84d4

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
76KB

MD5
eef4ff801dbb4603fe0d78af7abd7a96

SHA1
e906760935f57f4589b9e41475904ea54eeab93f

SHA256
b0d7ea84b5e0fdbc0f45756ad5a1fea07bf95b47e61e3cfe885ce942bdea67b1

SHA512
6f1558da20743b9dbafa6ce33e15bcc72680d0bb76d8edd4bf54192fd900296897d718024e77beea7c5dea6033dc6906a1b1d63c00b68c92e608e163521f1681

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
76KB

MD5
569e0c66611f0f67c84feab4a29595c8

SHA1
0fa1a3e4e7eee6a5a9925ed4f8eeba3ed2586b24

SHA256
a52c6161e812e7aaf0f7cda483981344f59f1978de52366e7431960f40180281

SHA512
65449c9c095432cda19f706fcda1013dca674a34c5f470a87787b924becbfc2491d4a03719ed9de8ed43795ab0c2921644a414084ca43a9f75735d8d3dcade49

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
76KB

MD5
f206c45d462c3c8ac57c380404006cde

SHA1
71e5471a4424cb626b41760f3ea5cd72e8ebf59e

SHA256
543c044fd7eac8f2c79e670f521b3dfb64ef85d529fe246be337bf0391c1296e

SHA512
dacccc6a6e6be5971611418ef9917c5986a94a4731b9d1c32de64830ce2494e29c5c9d7f61afa46b3e38f0f1b0ebd089be1d0acf43cad488805ae3e1c5ca6132

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
76KB

MD5
a81235e1218e50974fdcc72c7a15dd9b

SHA1
e687f39eeca2ae3528d9db6a4b26288bee54ed6a

SHA256
d2edd1de138c9eb7e7f0039f81a8eaf56a3cc9f1440f2b341d249e2842748d37

SHA512
0bfde6ea14b92ce8ff20f5c1c32c5e32f8ed7f6293b4fd3b9071aab35a23352b26ee185156a6ee09adab7b2463eff51f52bafbd6a4a14dab5d925bcdfa3dea32

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
76KB

MD5
299830c6de7ef2f31a55c7ab2bdf50de

SHA1
5ae4d10feb4dcad4e2095dfa862340120ab44a49

SHA256
537362f6bcc9da6056701eec09baa6063dfb343a3496a3ff0aa31cee8f20af9f

SHA512
04f7bd9a820707db706ce4f236802ac5485d9a4b9338f57d0021f42ae7938b499395130c0ffd796534f3847530469533a0be7f3fd186786d5079f410eb0657ba

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
76KB

MD5
87ea07fca625c1359f25eaf5a0639851

SHA1
88e9ef0de12603148c24c4266b4d8f2a632f696a

SHA256
26299da6083f8e905c8660522c77a0998985e7851c7dcbc823f23ba752a57828

SHA512
6ed6f9cc5d3b314dcbe6d7618f5841121c124720fdd3071643201a19b4c8b428667c4bf5e018c65876a4779d6eb8196a277e45aa22aeb8a3dee45030794646f0

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
76KB

MD5
fbe242398a8ebbb5e549ab6cc04b5e69

SHA1
e9c05fe03c1a18f27793efc6e15d2d67e92e7aa7

SHA256
4f130ded58df6db9aa931193aa376c1ed027ef2cac967997f5a8dee55ab74904

SHA512
aa2cf0c4e2aa29927af4002996144b81f35c59878976358b156a1ca961d07e466379768f0d13e7441d750c40f8c631155d3bf21468737b1d28daa7114c435366

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
76KB

MD5
f8b764e2b99857e783873545037102a1

SHA1
8cd696007cafd0c5d5bc5fb2717af32e67654eb1

SHA256
a6478728541ba55a5ca9ad103e69bda2076a2dccd28310531898aa30447fa44c

SHA512
0a3d93ed6158c5c25bc6b5331df781b324d079250491d6b80922249604f08171ab71703b7f2d9a8c52c06a364d57846735d6122667735216839b4b48b83203e3

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
76KB

MD5
9bf8ec11e208b185acb1a8121431469b

SHA1
35d78fce85127eb13828d7e0b8fc37714bd6673b

SHA256
fd1612d06b79477aa447ecaaaafed4a36cabec6cb9dff3b574bb838e9d76d708

SHA512
70192c407c4a80465915b181264c939c2cc22df176d304767ff2dc4125e252e5603db6e2d769e75ab706c9feedeba4bfa4d71432e618c93cca5e8ae924db3688

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
76KB

MD5
64f5239c6786a296978dc5b2adf3a5c4

SHA1
3013f06af7a2dae924685f6ef64a6f066d16ba76

SHA256
274bba1fc79b7806fce92c06f0826ab4787bc756d8493a95726ee38a9e53aad4

SHA512
251eca368c30e90869426e06f7aaf53fe0198dcb050938fc53798bc75e6dc7efc04f5679219fcfc71aab8d6ed12cbe7bb4b340f07de4bba97813adf61a746e63

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
76KB

MD5
6905d8afba6de5360ebd0eadda707205

SHA1
0dfbc719e1b48b851a60f2aa258082dbcf22bc14

SHA256
dcb44f96c73ca75bfb867fae85a9d05d44b6f1e6e00818c2b1e66d2918d73ef7

SHA512
9f7fd55124b97be5d28f502cd8b6192b2c49a0a784c7e710787355a0fda1597d2e383fd8e188314088ab5d158bf4e7afe3839050876884fd36a3b41e95699a0e

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
76KB

MD5
2dc808074b18c71cc22cf049f2640b64

SHA1
3cc53ec67abf2ac930737f581a85263c608cee09

SHA256
eacf30d0cf163f96e173157b4964f7f9ea7a25e41d951e2c94caa8d32d3f923b

SHA512
123ac38c39e701636db0961f27efb547383d9dc73c76dc9ceafdb7ed4c24f8fa6c909fed2a47b44758f3e628a6b6b63843f1ad73a7804774480a3d192358d02f

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
76KB

MD5
0399dfa66cbce4614e68a17e864c607f

SHA1
c13b3f33e7a776a970d1a6fa3ecf6b7bc49a2799

SHA256
b216b9ed9bca63b804d03c2f474add403073bb7b172d63f5d4e120ae0d6c4892

SHA512
0d1aadc42027a10242b6968e7a29bdee2f6aee76ced9a702fd828e17afac7c97362d2211ead012a64387637bba60703923e08121373a7f5b3d2723882eaf6767

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
76KB

MD5
b978a4f9c4218f63c4b4311668a92289

SHA1
8e26d37c921d54ac2cd7a9758a880bc2df4530bf

SHA256
d7c0b10828ed42fd22da22714b1d132cc5a125083ce78fcb46839cd07f9aa4f8

SHA512
c25e98aec39bb7121a2f104b01db2e824e3a9c73ac99909198681a1a587f78b30b9aa607907335e1f3da920159a0a68c3450686ca8d84c10fdf47b93700a9e2d

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
76KB

MD5
aaf65a441abd54e3f0b9fb04534d9830

SHA1
00bbbe90d9496d3908b05bf050ed5217aadd27b8

SHA256
7fc77aaf773147968d36061f8ea7a3abd337c970fe53cd5bdb1013f1fdeea542

SHA512
9ea96540e000d54710260169b05a4aebf3f8855b077a3acb82ae2d6799b202083fe1d40f7fb6ded03791d5e1590a5f921fbbcfe462e4eb59db440f41c313f6a7

Download Submit
memory/64-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/64-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/988-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1556-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-506-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2692-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2692-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3796-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads