berbew | 8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381f

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
Size

45KB
MD5

f4293e33aa1c67267ad91000584a0be0
SHA1

d2e972b98724bb358d21760a8e1a63777069dd13
SHA256

8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381f
SHA512

4ddae170b9b33ed702773864a7221d67353bc1fb45582e9c83d34c669a8f3595a0446ae99cace682adbec12daaf9b744bba608e5458d0a59035c13775ff3119d
SSDEEP

768:Oc/i07Bz0yjMpWJECC9tW2hKDIjxEThVf/1H50:nK079+pWMWDIjIx6

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4384	Pqdqof32.exe
5020	Pfaigm32.exe
3200	Qnhahj32.exe
1744	Qceiaa32.exe
2896	Qjoankoi.exe
332	Qqijje32.exe
412	Qcgffqei.exe
948	Qffbbldm.exe
2928	Ampkof32.exe
3640	Adgbpc32.exe
1484	Ageolo32.exe
3860	Ajckij32.exe
5032	Aqncedbp.exe
2868	Amddjegd.exe
2188	Aeklkchg.exe
5040	Agjhgngj.exe
3632	Ajhddjfn.exe
2352	Aabmqd32.exe
4376	Acqimo32.exe
2812	Afoeiklb.exe
3968	Anfmjhmd.exe
4408	Aadifclh.exe
3996	Accfbokl.exe
716	Agoabn32.exe
4224	Bmkjkd32.exe
2768	Bganhm32.exe
3232	Bnkgeg32.exe
3032	Bmngqdpj.exe
1048	Bchomn32.exe
4068	Bgcknmop.exe
4560	Bffkij32.exe
1092	Balpgb32.exe
1044	Bnpppgdj.exe
3340	Beihma32.exe
4548	Bjfaeh32.exe
2676	Bapiabak.exe
1088	Chjaol32.exe
3168	Cjinkg32.exe
3700	Cndikf32.exe
1928	Cenahpha.exe
4200	Chmndlge.exe
2220	Cjkjpgfi.exe
2192	Caebma32.exe
2348	Ceqnmpfo.exe
4532	Chokikeb.exe
1984	Cjmgfgdf.exe
3588	Cmlcbbcj.exe
1652	Cdfkolkf.exe
3224	Cfdhkhjj.exe
2208	Cmnpgb32.exe
3412	Ceehho32.exe
3344	Cffdpghg.exe
2512	Cnnlaehj.exe
3356	Calhnpgn.exe
3096	Dhfajjoj.exe
5092	Dopigd32.exe
4880	Dmcibama.exe
4924	Dejacond.exe
3592	Dmefhako.exe
1520	Daqbip32.exe
1816	Ddonekbl.exe
1192	Dfnjafap.exe
1900	Dodbbdbb.exe
3284	Daconoae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	2380	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4384	3492	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe	82
PID 3492 wrote to memory of 4384	3492	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe	82
PID 3492 wrote to memory of 4384	3492	8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe	82
PID 4384 wrote to memory of 5020	4384	Pqdqof32.exe	83
PID 4384 wrote to memory of 5020	4384	Pqdqof32.exe	83
PID 4384 wrote to memory of 5020	4384	Pqdqof32.exe	83
PID 5020 wrote to memory of 3200	5020	Pfaigm32.exe	84
PID 5020 wrote to memory of 3200	5020	Pfaigm32.exe	84
PID 5020 wrote to memory of 3200	5020	Pfaigm32.exe	84
PID 3200 wrote to memory of 1744	3200	Qnhahj32.exe	85
PID 3200 wrote to memory of 1744	3200	Qnhahj32.exe	85
PID 3200 wrote to memory of 1744	3200	Qnhahj32.exe	85
PID 1744 wrote to memory of 2896	1744	Qceiaa32.exe	86
PID 1744 wrote to memory of 2896	1744	Qceiaa32.exe	86
PID 1744 wrote to memory of 2896	1744	Qceiaa32.exe	86
PID 2896 wrote to memory of 332	2896	Qjoankoi.exe	87
PID 2896 wrote to memory of 332	2896	Qjoankoi.exe	87
PID 2896 wrote to memory of 332	2896	Qjoankoi.exe	87
PID 332 wrote to memory of 412	332	Qqijje32.exe	88
PID 332 wrote to memory of 412	332	Qqijje32.exe	88
PID 332 wrote to memory of 412	332	Qqijje32.exe	88
PID 412 wrote to memory of 948	412	Qcgffqei.exe	89
PID 412 wrote to memory of 948	412	Qcgffqei.exe	89
PID 412 wrote to memory of 948	412	Qcgffqei.exe	89
PID 948 wrote to memory of 2928	948	Qffbbldm.exe	90
PID 948 wrote to memory of 2928	948	Qffbbldm.exe	90
PID 948 wrote to memory of 2928	948	Qffbbldm.exe	90
PID 2928 wrote to memory of 3640	2928	Ampkof32.exe	91
PID 2928 wrote to memory of 3640	2928	Ampkof32.exe	91
PID 2928 wrote to memory of 3640	2928	Ampkof32.exe	91
PID 3640 wrote to memory of 1484	3640	Adgbpc32.exe	92
PID 3640 wrote to memory of 1484	3640	Adgbpc32.exe	92
PID 3640 wrote to memory of 1484	3640	Adgbpc32.exe	92
PID 1484 wrote to memory of 3860	1484	Ageolo32.exe	93
PID 1484 wrote to memory of 3860	1484	Ageolo32.exe	93
PID 1484 wrote to memory of 3860	1484	Ageolo32.exe	93
PID 3860 wrote to memory of 5032	3860	Ajckij32.exe	94
PID 3860 wrote to memory of 5032	3860	Ajckij32.exe	94
PID 3860 wrote to memory of 5032	3860	Ajckij32.exe	94
PID 5032 wrote to memory of 2868	5032	Aqncedbp.exe	95
PID 5032 wrote to memory of 2868	5032	Aqncedbp.exe	95
PID 5032 wrote to memory of 2868	5032	Aqncedbp.exe	95
PID 2868 wrote to memory of 2188	2868	Amddjegd.exe	96
PID 2868 wrote to memory of 2188	2868	Amddjegd.exe	96
PID 2868 wrote to memory of 2188	2868	Amddjegd.exe	96
PID 2188 wrote to memory of 5040	2188	Aeklkchg.exe	97
PID 2188 wrote to memory of 5040	2188	Aeklkchg.exe	97
PID 2188 wrote to memory of 5040	2188	Aeklkchg.exe	97
PID 5040 wrote to memory of 3632	5040	Agjhgngj.exe	98
PID 5040 wrote to memory of 3632	5040	Agjhgngj.exe	98
PID 5040 wrote to memory of 3632	5040	Agjhgngj.exe	98
PID 3632 wrote to memory of 2352	3632	Ajhddjfn.exe	99
PID 3632 wrote to memory of 2352	3632	Ajhddjfn.exe	99
PID 3632 wrote to memory of 2352	3632	Ajhddjfn.exe	99
PID 2352 wrote to memory of 4376	2352	Aabmqd32.exe	100
PID 2352 wrote to memory of 4376	2352	Aabmqd32.exe	100
PID 2352 wrote to memory of 4376	2352	Aabmqd32.exe	100
PID 4376 wrote to memory of 2812	4376	Acqimo32.exe	101
PID 4376 wrote to memory of 2812	4376	Acqimo32.exe	101
PID 4376 wrote to memory of 2812	4376	Acqimo32.exe	101
PID 2812 wrote to memory of 3968	2812	Afoeiklb.exe	102
PID 2812 wrote to memory of 3968	2812	Afoeiklb.exe	102
PID 2812 wrote to memory of 3968	2812	Afoeiklb.exe	102
PID 3968 wrote to memory of 4408	3968	Anfmjhmd.exe	103

C:\Users\Admin\AppData\Local\Temp\8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe
"C:\Users\Admin\AppData\Local\Temp\8e661554b10584d3a28c038ddf828a0b74d2fb5b6ee571657f4b1fb008ad381fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\Pqdqof32.exe
  C:\Windows\system32\Pqdqof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\Pfaigm32.exe
    C:\Windows\system32\Pfaigm32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\Qnhahj32.exe
      C:\Windows\system32\Qnhahj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 400
        71⤵
        Program crash
        
        PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2380 -ip 2380
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
45KB

MD5
66fcb2cba82f9111dbb0f7e3f03fc903

SHA1
23b3f78d36457fdc971c1299912ae423c7128332

SHA256
3f8143e216e44d78a3bf34bd7ebd7b9a2c7aa6e8429aa17b6a677ce81a2ea972

SHA512
18d9bd51b7e2c736a744d21c08cf1cdcf541f54ff10ed4624729c0fbd0340bb4819810ebc6641c72e44ab65d3c051d9298e9989e76ac202f1a49f98acdd1139f

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
45KB

MD5
f832d6a30395f4743dca55822392f504

SHA1
2bfe9e876c321b6cee38377105c7c0a459274b46

SHA256
e6f5f8af089b8c45abc08104ccf55bb6df913f22966fcb940976e92a9f82feb4

SHA512
4c5601fb4f2206f9cceb990a8de0285431448d2a22843ddc9cc42cff484027c3c6bd907f4382b914694a07db227e2c0aac528c689f2e49f456b2409f691e4600

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
45KB

MD5
f74f6425f37f884764dc352eadd2cb3e

SHA1
a5a6cac2dea5309fe0a712d49936957a6eece4ca

SHA256
a122b0f409049fca45f9229320ee8f3c6a50a89bafaedcc937e106d801f1498d

SHA512
2865e27aec8ed3e6b826272549b394da2191848a71c4f09bd198fd803c52e721c0c0702146e5c8bba5a8c8e8714346db43164398a27a4b328a1b8bd1962a0b4e

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
45KB

MD5
a739ea7adb974822f5d83b216aff7055

SHA1
0c67f73bbba3ad2bf19b84ec87da515181145fa7

SHA256
5dd04cce63cb9d41f8ec850f40b2b34b3483a25a616b0dea09d149980df9d2a8

SHA512
69fdae7d63a661d8a7d827c59b41c0b542502c9814df45a5c592006c241457cac3e6483e75f88609b700f42267c95a9f6e840e8da309852e325848fd2f2b88f7

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
45KB

MD5
7886f028bcd7baf2fc785230cb55d961

SHA1
b6110544fb15302e019cf7db7a61f74327c4eae2

SHA256
ecf577c8709e79e466c668912e7dc01a4d82714ee5525de1ca00b8fa909df608

SHA512
29cbec5e1482a28c8dbd42523218dec5d1ecdcdc352cbfaaabdc83554dafc2e688a9d6cbdf436abdbf2f087b5311b4bab8faaad85b7568837e3ba6e0906b55df

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
45KB

MD5
0b456a02aa4fd36cbf83105d24e6c1d4

SHA1
3f91eb7092b19f122ba9e1890d266ddf088133fd

SHA256
fdd962ce118f2082e0089d1dd79afa3b1f7e87dfca62982e3a2e2c5ba2b62e67

SHA512
556dbb802329d1c5f0b3c9a7b86c483f61fd12ae3d25741d22f935b55e4228300f4c3f0241bcd0edb24493ed9071968bb3fccaca875cae5356ea5d94032ccae2

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
45KB

MD5
1a72917c0ad223000630d9e3e6c1ebb0

SHA1
14590a1d0b2b6e11d254bcd9fc82d3fe37c9ca29

SHA256
d4295024dd4538a69d1623c7193489aaed7b05997d499c1d040b1c35228e2539

SHA512
7b2f64abc14891069984217bbca39d0bc9a1637c0ded66889c0792ff01c64772dae231fa98be469c0e5e828b509ecf174800fcfa0468d4fbde1f339a3e024b6e

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
45KB

MD5
f492fabd67c77e85839d3f4219a925bd

SHA1
eca3864b4fb3a067ea6b310ed59c77a3a8779f47

SHA256
1ef2b9230b6f996a7f67a2d607581965904703c39472afd8c3484063c9c51128

SHA512
36a681dfce96aed6566c5c714b0a44a351a2884ceda49052fab911655e8964851e3f2188b56e0a1c5a9eb1d0f4680709f7c380f776fed231f6198d987a8a33e3

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
45KB

MD5
3fc37c9c0502561fb10be3f2c7e5b268

SHA1
42910f7f7caa656f9b93051606073d2fd44d53a4

SHA256
aae59c40a1633510da44bd16973cb236c732739cc8dbdc75408668abbd900d64

SHA512
4dfee41f1eb6e96081197c05e25af64cd72db933e37efc511c95b3640e01f013dd14ad277d89dad801fd9c66cc9cfb4a5b07a1e8cc8a0d7e18e0f45ad397c650

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
45KB

MD5
3d2e5e364313585d6ca5033a80bdaf96

SHA1
0b38e7eb0e7a374fa97f4cf981a130e917eb40c7

SHA256
5898573bb5d3ecf732a781a1cf396d61d98caf02fce9e9c79f63308a9979a3b5

SHA512
0933d368d753fc8bca4f236621c7a78238a81ed92c1fd3e37167a625b1f94e5b2a1d52555f096992c1cae9a6d685445bb080c3f7cb453c7f9c3e871f257f06ce

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
45KB

MD5
93c612380eb79448b669596584f1ead6

SHA1
cdebde5d93e998ef3c2db19c496314489cbd4160

SHA256
cd70414725d06059ccea7e572949c0d6ff5bfb3161c27bdf7fd6ebaf908ad9d9

SHA512
ae6ca1d29938256810574272f7a1f80030774d96ede92f2de0eee4443f49bfeb5bbbec071469629f3de608333b670ebdaf7424efc65a7712ca15031094931235

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
45KB

MD5
49f91ae47883cc86055690e16e485e2e

SHA1
9dec67faaef8be16f567e131632f4984787f51ed

SHA256
cb04a528024508b3a175df4494199a3b09a632b97b84e9e8fc9f6673ac4ccb37

SHA512
da49526f020894199d1c1ca1821781258bf7de9dd26232534cdca86ef0d44dbde7c3f5c4f4e2816ae9204b577579636cb33e3c46ba6efef4faa079cf6018cba9

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
45KB

MD5
676729889b4dd215d47e824fe8f36c68

SHA1
492312fe7f8c7c784954a99cf5c8af58093d1be3

SHA256
9dfe0be243255d3e94fe579a2703fa1b244a994b45ab7994f56d2d3261aa85ab

SHA512
0e8e6799330ab02090f8655f76e126987dab15923240f1d0990248e4a01b290b3ec331b5cb4fc1665c599173a68a2534a4d74ca67b963bbd13f59d87658d1d5f

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
45KB

MD5
f8d6a055cd92e25e319635a0c14e23ae

SHA1
788563ad2f9f8a4c7dedcc0615039c591cc303b2

SHA256
a230fab2fea54eda791d4a72acd592c40b556d6bd2c632ecc973b66ed7674bad

SHA512
7832585276a163668e24f12ef0494a41b355f6a28037012b3fd209e54a6afeb831c8085bfccd7b75b329b0c175fd2a2af5dafd0d25c7b48e64a10394cf6c21ae

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
45KB

MD5
45affff6197e9d42200b597c7518094c

SHA1
30ca881ce3959824663966e8d56810f0cc3bca92

SHA256
9d6bb0bb24d903fab6b1d73fd5fc144ecf492d328a653d7f3b5fdd78c417a1df

SHA512
f836396d7d9894b52508d449bc2b7ab8c1d819a2ba08172f7e7b80e94a1c2424f9c265695bc883a681ba5df7715d70ac60e8b806cc031c3a21c497d8a16f436a

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
45KB

MD5
ea629b995a494b511b9582b2a566ae0f

SHA1
b85873cf3428fb4252e5032596c0a6ac994a3958

SHA256
51a6e5c4ac19a12b7570a0710dbf83ee79f6fc5fe53d7d70f8f145bec4466030

SHA512
bddfdc836252095a27290dba7a79410e8975225501faf5cdda0b967bb2732eb045ddbb7641c794e4390b7ca155d645ab9ae12830a122cc8c2cc45e4d7b74d77a

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
45KB

MD5
6ffff1fc8037a5aa5f874a2841cd05d4

SHA1
abc510cbc08ad0f9e23c4c3a8551d3bccc41e428

SHA256
f972eec1048c29f018030dac8db74950675b7854cdf2945586eb1155e2de5296

SHA512
697ab139a1a61d6a469249038a7463304202dbab194e71552301bbc8034d6c3009b6fbeeee3cf596f422cb33e03904431f07390a047d21bd0b826a8dca2e31c6

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
45KB

MD5
f04b23cdf4a6273a395154cb6a02b123

SHA1
fd2a7e562f011d77e87e1272bffd44acd9d17aee

SHA256
0aa01c585a8e71c4cccf235c0b6d1ca351a34a09d67ae655e9eb574969b91410

SHA512
c481df423d2d33ed7c620a07d284ce942b51ba6c29ad97402653a2138dbfd632d012ae9c48cfe9fdab5233c5cf5219d604d10ec83f62c0dd46f633291db7f42b

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
45KB

MD5
bd7a69c2a5977ebd3239b6d0f5d81102

SHA1
3a1ebc27d315dee6823c13a5b62e8051954f4305

SHA256
ce687aa4fb777cc8e58e48ed461aa3187b8ae9852599f72daeed34ea905dfd69

SHA512
9170ca8c9cbd3dfe1e82f1646464c092c7f864669ceda3948ba59fb63b37d615917c4977a39756d9d4d318b27e9dfcb9292d94ed9936a2408d4b47cff2f80a1f

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
45KB

MD5
52a0ac472868d32bf56c607b307f715e

SHA1
b895f60b1fb62161ba730df5b4909c01a7fd525e

SHA256
314f2bc9db0c2130e354e6b6d21e3389d9a53ed8bca1a25d575e07361f776da8

SHA512
6998182bcfb844a42393abd791dc3d919347907278de8a4ce0cd7c85d89cdbf5c1874afa3805a5466dfd36ea7d449692faf488d78c48144bd1512e4007c7b034

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
45KB

MD5
e2012166590418075719da3fa8f0be91

SHA1
96411d482de02df9cea23057eaf4a00dfc8c1b8d

SHA256
4a6fafec4176338d3b31176356ddbcc02881d4434e56f12eaff44c9ee0d64979

SHA512
5da9f963aafc7630486b2e98e0bd11c0fac4ac1557ce431f852be4ddc7ba4638ffffbb5c44ae6e9e7515931c542596a64553220c5c4a0acebc7e2d9dcab8ebd2

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
45KB

MD5
f413e6bab6872d8e176b96cd9177c005

SHA1
9047adbb31d017a70b23debaaecd272e1494dfad

SHA256
8c94a7bebdb422916e06eede3f2b1343668ad2084410c688a119bc05be6fbecb

SHA512
3730e659d0d660c09f68b7e1effa8bb0a82bc69c5509ade5ab909ed78dff88c97e08bf33cd8cf1afc97aeb198ccb83401557181b37cf049b095e0ece7fde076b

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
45KB

MD5
4dd2925106dfae62ad939d999fa987db

SHA1
4c562e622b7fe45b36a06f35adae9cec9a625402

SHA256
3fd559bba7dcff1ea37a8b260cb92bae9cac5fcab99c8390f15c04a496bd969e

SHA512
da0c300af14f1ee765ec725b006d8aa850dc615520058c17df6c48bc458fa1e79a1a295306e59ad3b95eda06058feac6fcf4ca737871368069671604fd7e7d1c

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
45KB

MD5
34dc48da0b349fe05a0c5fba11cd3db0

SHA1
690869f59767900239e4851ff1bf0d0452897078

SHA256
e621cceae7c9209a1f1680770d5830c9c98747239daa7fda9301ebcfcf58c321

SHA512
44bfa1829a02e00016a55454c602577c6fae839b9fc8e36466d087936d0cb91bfdafbfe04a93aad69d1df3e6887a8f4ba91e652e75465dfd13cd085c51a5ea9e

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
45KB

MD5
bc8207b3a2cb4be2d7c8f67229be10e6

SHA1
2028c712f8e3a0952e3102004c434cb2f520eefa

SHA256
22e91222328ba657a97825cf35c5d8c720b7af75a215b79435ba21c6d72096e2

SHA512
965ca136633f9dc09dde848e81c472edea6ed38868a10cf2c21e0907552f558b06b6708f10475850570607625e31ec0e45911205b24053f802f5175f6533e98d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
45KB

MD5
0c43f1fdda0010e8ba06f3289619d4fa

SHA1
30051fb73f8d48b9016883231c98ad8bd2921372

SHA256
c9e96ce9f05d58c5f8dab049f1b65351c15a5e39e151d53043083009f3d3a817

SHA512
34976580bd6bd0979e1c1fa79b1ff135860ba2b249da8d36958dd2766827774d798970261a2035d29f9949f405f6df41da000af6bfcfa059e2b413f704cc3f6e

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
45KB

MD5
2412c21efc443455eb254d92931f7977

SHA1
9f83902a7e4d2bbc3b1d4dd6975da0305c8ceeec

SHA256
4360c8619f1be70f6184913df0e90ca1f3eb53af249817ff575385445bf42c3e

SHA512
daa7ee11ea5b07ec557b944ed3afb85346bb77139211721b02de5e96de8144009f7572bc4902d6717d6fa419cb1caabbbee3c49556f299a9f2c5582724a39b16

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
45KB

MD5
d71c1da7b1f89fceecaed7247f80fb93

SHA1
7ef6899a41598d1d847d692fcedc083b70eba33d

SHA256
0a44bb63a949b5c549da34d1608ffead01a56c62104253d1142e2380bbcdd100

SHA512
2306bb0e77d59e476cbe3c9e8345b6059af28be78b161b57e521c90ac03ba7121e8960a3afeb33819709e80e8d6f58c274e28c4c4645c99b8cf91bd74e670e35

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
45KB

MD5
0c92c67f6a2b18a1cab5c0d02a980326

SHA1
ed5281f59e35b64ffdc5232e8b4bb0d1d3a56303

SHA256
914add98daeb3dc5bbefa53a8fb23b662edc1d9033d3e2971eb094367399bb43

SHA512
693333eee1f892ccb452ed030140cfc2a55dece1ea2233b9a7d860678b7aea07be32327ae64f7139b565f5ac374bf6f45bcb6f143869ca7e271717dba781efc8

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
45KB

MD5
058a6f2668cbe1e9ff57bb228e2eaa61

SHA1
818f59c8a06e5fe157cc7fbed7ce9111ca2645fd

SHA256
89a443b9e2531f4d3b1588dec5e996984aedb2e6b377a49385d2f508a3f94c79

SHA512
7d94f1e8e7135c5c77399730aa90ab5dad93aba087c51fa4ea2ca3ef45822d612ccd81445c111a8c7add95f9f49f86692cb89c87b3b12ac8444b0c4f2458836b

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
45KB

MD5
a3197caf3194e263e3e3f9ed5f0cd904

SHA1
b60172023d9c97710e4c4d8b2d32f9aeda4784b8

SHA256
3b87c5bf647e1b4fad2010c0b55a7d2ca5f85c0ef1e8dc7acb14f18321a5a441

SHA512
6a858c13da39ef8340c248f6b99e72984f5948efcd8e8144f1f5ed3d861ee0ca2348232083ca2083b8bd56fa46f27319b1ed88e775dfe76ca20983e6a383c4a9

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
45KB

MD5
a023ea606fa008a1c7742acae605cdd5

SHA1
1cd41a7f585261b714d1add36bde5c52990afcad

SHA256
61add2f7a150bd5b5cb19123cd8fdbcbeceb5bd179d56c7141eb9c0c9289a3c0

SHA512
783a2b02fcda4a17a3bb5a558f9d63f755a06d0f160494262422f2f766df0beee550f778b8ad601df47f1090ebd67a8300a59bfe31ef4d6ac697d9e3f37c6054

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
45KB

MD5
c6b12e2cc5f7eb5b9e5fe11e900701a3

SHA1
f2b9a29325b7d91d9b19b98b766186631d001643

SHA256
92547e491ba605a96e7e944041f37bca15f858da4d694577cb4fb23d540a7dc5

SHA512
614faf0444bbaeda3c77e1412cf13b0042f8056fa5270bb29152363ca5862fcc14ca12899bffb2caecd1f15cb009ae6597893151c68c6f5a85cc40e1b20ae612

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
45KB

MD5
a0eedd837794aa28f22eb5db4012457f

SHA1
63a60524cf0e692fc64b18aa102576a976d9dfc7

SHA256
87b84683b73dcafd3fc2bc8674916408d569c893bb25d498707109caf1e3cfc4

SHA512
dfdfeaf22bfb744385c4211b155286ec0c90cc87c75d7032f8e0e35059475464f9f5f911c384cb660b8d3e1f7f4d8957b6271d99be0a862651cb792b489bf19e

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
45KB

MD5
891abef7f612f3d671bad02ce0143606

SHA1
64efa5730cc4027e3eb553b5f5212651b21f974c

SHA256
07809c4856759e250f52ace02c19289ce4d276d00b9a44e19a54ba3f6b08ad46

SHA512
c7b0f505a85aa89b650e6cbf5870b2e1e51a72aa64b4f567b9368f8ade5bb6bde03b41d6d3d1ecf2859cfa22614ecdc0128afcb2a211faa4fc5e73c2b846ee50

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
45KB

MD5
edd71603de69ae3fd6a1ea915ddcf8c5

SHA1
15d6f6b70db1f000974c01396565a7fcde058ba1

SHA256
5ada893e4a3063860f35a14985e792cfffb650754c0cff151e0d5dbfc04e08f7

SHA512
fa1ed528dc37e687e67c818c77234bbf7ef871c36a5a7ae2d9c293ba014ab5560c9a12ff17ec8bb94d079fe3bb74cc0cf681d604ce4f32d92893802a4e138f93

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
45KB

MD5
54dbb867b3c48aea1be56e87f6ea5ca9

SHA1
ea1d44771dd770ae5e4b589c8f5967bcd09074b5

SHA256
1a6567625780bfcf57d6bc207ca1e31a3f9266bbf41a3d3571e9aecedbc2d09c

SHA512
4617235eacae2f99dd03b117145a1fa19eaeb90e13be0ba1f9dec4596b19b87ecd38de055a4897856751d7594c5b16f214a3cfbc4f211cea1d750318bec86e14

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
45KB

MD5
fcfc31af6676619229e0ddce608a3027

SHA1
980495ce2bcdb3f2d5c35d10b57d46798e8360e0

SHA256
653eace593352705ede70d363289e5bade4feb5ca944472ab232cbe7a289e8fb

SHA512
1ab69a58eb58ca9693ac638b21dbb1969505946fd26d1a089cfc00741da777139aee4dd5fc88754a60a0d2fb1386059f1502541b044e247d1ff83f6a68b7d9f4

Download Submit
memory/332-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/716-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1048-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3356-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3356-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads