berbew | 4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
Size

59KB
MD5

5b896d7265db523330afb7d4a8ab4250
SHA1

e13c7c1ce34a77a3b7f437cf7f67f9bf63bdaeb3
SHA256

4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6
SHA512

03a19037726f39d21594acdddf637fc954c22f888b7155d4ffc28c5931b8bedcbf30e30ce726cd7afdca69f1ff41a32f14b6b1c0aabbaf15b156c2b4ab60110f
SSDEEP

768:cYRgpYw3nWrH4NszC5WMsUGLuc7s5rbPPGL5b8IHP/n2Z/1H5Axl5nf1fZMEBFEI:vRIRXiGs+5W9UWp9b8IH8YNCyVso

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4904	Qmmnjfnl.exe
2056	Qcgffqei.exe
5032	Qgcbgo32.exe
1120	Anmjcieo.exe
4852	Adgbpc32.exe
5072	Ageolo32.exe
32	Ajckij32.exe
1828	Aqncedbp.exe
2052	Agglboim.exe
2112	Afjlnk32.exe
2900	Anadoi32.exe
3000	Aeklkchg.exe
468	Agjhgngj.exe
1656	Ajhddjfn.exe
2216	Amgapeea.exe
2400	Aeniabfd.exe
1252	Aglemn32.exe
4196	Accfbokl.exe
4192	Bagflcje.exe
4060	Bganhm32.exe
1604	Bnkgeg32.exe
3560	Baicac32.exe
4832	Bgcknmop.exe
2448	Bnmcjg32.exe
3492	Beglgani.exe
5104	Bfhhoi32.exe
1172	Bmbplc32.exe
5064	Bclhhnca.exe
244	Bfkedibe.exe
2676	Bmemac32.exe
2060	Chjaol32.exe
3488	Cjinkg32.exe
4728	Cabfga32.exe
4388	Cdabcm32.exe
2120	Cjkjpgfi.exe
4660	Cmiflbel.exe
4524	Cdcoim32.exe
3672	Cfbkeh32.exe
3220	Cnicfe32.exe
4528	Cagobalc.exe
3048	Cdfkolkf.exe
3668	Cfdhkhjj.exe
1248	Cnkplejl.exe
548	Cdhhdlid.exe
1280	Chcddk32.exe
2136	Cjbpaf32.exe
4104	Calhnpgn.exe
3944	Dhfajjoj.exe
1088	Djdmffnn.exe
2940	Danecp32.exe
4152	Ddmaok32.exe
2032	Dfknkg32.exe
1508	Dmefhako.exe
3204	Daqbip32.exe
4972	Dhkjej32.exe
4896	Dfnjafap.exe
2580	Dodbbdbb.exe
4836	Deokon32.exe
1116	Dfpgffpm.exe
3636	Dkkcge32.exe
4816	Daekdooc.exe
4616	Dddhpjof.exe
4376	Dknpmdfc.exe
3728	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2604	3728	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4904	4072	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe	82
PID 4072 wrote to memory of 4904	4072	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe	82
PID 4072 wrote to memory of 4904	4072	4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe	82
PID 4904 wrote to memory of 2056	4904	Qmmnjfnl.exe	83
PID 4904 wrote to memory of 2056	4904	Qmmnjfnl.exe	83
PID 4904 wrote to memory of 2056	4904	Qmmnjfnl.exe	83
PID 2056 wrote to memory of 5032	2056	Qcgffqei.exe	84
PID 2056 wrote to memory of 5032	2056	Qcgffqei.exe	84
PID 2056 wrote to memory of 5032	2056	Qcgffqei.exe	84
PID 5032 wrote to memory of 1120	5032	Qgcbgo32.exe	85
PID 5032 wrote to memory of 1120	5032	Qgcbgo32.exe	85
PID 5032 wrote to memory of 1120	5032	Qgcbgo32.exe	85
PID 1120 wrote to memory of 4852	1120	Anmjcieo.exe	86
PID 1120 wrote to memory of 4852	1120	Anmjcieo.exe	86
PID 1120 wrote to memory of 4852	1120	Anmjcieo.exe	86
PID 4852 wrote to memory of 5072	4852	Adgbpc32.exe	87
PID 4852 wrote to memory of 5072	4852	Adgbpc32.exe	87
PID 4852 wrote to memory of 5072	4852	Adgbpc32.exe	87
PID 5072 wrote to memory of 32	5072	Ageolo32.exe	88
PID 5072 wrote to memory of 32	5072	Ageolo32.exe	88
PID 5072 wrote to memory of 32	5072	Ageolo32.exe	88
PID 32 wrote to memory of 1828	32	Ajckij32.exe	89
PID 32 wrote to memory of 1828	32	Ajckij32.exe	89
PID 32 wrote to memory of 1828	32	Ajckij32.exe	89
PID 1828 wrote to memory of 2052	1828	Aqncedbp.exe	90
PID 1828 wrote to memory of 2052	1828	Aqncedbp.exe	90
PID 1828 wrote to memory of 2052	1828	Aqncedbp.exe	90
PID 2052 wrote to memory of 2112	2052	Agglboim.exe	91
PID 2052 wrote to memory of 2112	2052	Agglboim.exe	91
PID 2052 wrote to memory of 2112	2052	Agglboim.exe	91
PID 2112 wrote to memory of 2900	2112	Afjlnk32.exe	92
PID 2112 wrote to memory of 2900	2112	Afjlnk32.exe	92
PID 2112 wrote to memory of 2900	2112	Afjlnk32.exe	92
PID 2900 wrote to memory of 3000	2900	Anadoi32.exe	93
PID 2900 wrote to memory of 3000	2900	Anadoi32.exe	93
PID 2900 wrote to memory of 3000	2900	Anadoi32.exe	93
PID 3000 wrote to memory of 468	3000	Aeklkchg.exe	94
PID 3000 wrote to memory of 468	3000	Aeklkchg.exe	94
PID 3000 wrote to memory of 468	3000	Aeklkchg.exe	94
PID 468 wrote to memory of 1656	468	Agjhgngj.exe	95
PID 468 wrote to memory of 1656	468	Agjhgngj.exe	95
PID 468 wrote to memory of 1656	468	Agjhgngj.exe	95
PID 1656 wrote to memory of 2216	1656	Ajhddjfn.exe	96
PID 1656 wrote to memory of 2216	1656	Ajhddjfn.exe	96
PID 1656 wrote to memory of 2216	1656	Ajhddjfn.exe	96
PID 2216 wrote to memory of 2400	2216	Amgapeea.exe	97
PID 2216 wrote to memory of 2400	2216	Amgapeea.exe	97
PID 2216 wrote to memory of 2400	2216	Amgapeea.exe	97
PID 2400 wrote to memory of 1252	2400	Aeniabfd.exe	98
PID 2400 wrote to memory of 1252	2400	Aeniabfd.exe	98
PID 2400 wrote to memory of 1252	2400	Aeniabfd.exe	98
PID 1252 wrote to memory of 4196	1252	Aglemn32.exe	99
PID 1252 wrote to memory of 4196	1252	Aglemn32.exe	99
PID 1252 wrote to memory of 4196	1252	Aglemn32.exe	99
PID 4196 wrote to memory of 4192	4196	Accfbokl.exe	100
PID 4196 wrote to memory of 4192	4196	Accfbokl.exe	100
PID 4196 wrote to memory of 4192	4196	Accfbokl.exe	100
PID 4192 wrote to memory of 4060	4192	Bagflcje.exe	101
PID 4192 wrote to memory of 4060	4192	Bagflcje.exe	101
PID 4192 wrote to memory of 4060	4192	Bagflcje.exe	101
PID 4060 wrote to memory of 1604	4060	Bganhm32.exe	102
PID 4060 wrote to memory of 1604	4060	Bganhm32.exe	102
PID 4060 wrote to memory of 1604	4060	Bganhm32.exe	102
PID 1604 wrote to memory of 3560	1604	Bnkgeg32.exe	103

C:\Users\Admin\AppData\Local\Temp\4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe
"C:\Users\Admin\AppData\Local\Temp\4352219936b43a2c383083251ea463690e31a20c72da5eed941d5eb1852c17e6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\Qmmnjfnl.exe
  C:\Windows\system32\Qmmnjfnl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\Qcgffqei.exe
    C:\Windows\system32\Qcgffqei.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\Qgcbgo32.exe
      C:\Windows\system32\Qgcbgo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:244
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 396
        66⤵
        Program crash
        
        PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3728 -ip 3728
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
59KB

MD5
49878304f628fbf47a9f75575ce59d63

SHA1
9a944af24f59751c258c2ef34cab412505db658d

SHA256
37d8c35219981f8d5a02b9cd154201043cd135481a62ede0e33f8fd534c41e8f

SHA512
fd58e41975b62a56c89b35acf2d59d11b225b02506d76d11bea4cd6fea0fad5cec20e3e856a5b768f5c826c4b487393146751fe4241541ed16c967de432b5af2

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
59KB

MD5
793dbe9acb6f17fcc08f6db244e63493

SHA1
f4b1e384dd0ffa95d3fd1cbacf66fdbc03cc7abd

SHA256
8ed2dcc16bb283c20609940d638db04dba544890ad64d0ef0fe938a983511fe5

SHA512
8637079a053e2f1f5ef7f83a3ea4337592c616a83166a8a3ca481d47c3762625d73f08684536036bd38cbc444384ae53f9015192c26d61f109305316935532e4

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
59KB

MD5
d7ac72e0313fe24e03229020a15cea13

SHA1
fbe40a44bd49b23a97401f6a9f8e5d4061576c36

SHA256
68ec472c3d3c433397c3807d9f0634a90004f21a9135663689afd3ab14f2b43c

SHA512
14d357d1e1a102bce992035ba6e3c9e2e14dde80e89f25f22319f96702eeb1801ac4ba063be1f924d8d0db29c7d4a96eae9cb0f6a17a9be113305086adbe1b1d

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
59KB

MD5
d3fa179e88dbc032f6e9066c50c2e376

SHA1
f088aa6b282ea5da98c3950b7d5f65d5c1dc5b14

SHA256
119d66863af05bce9a3a52ccfe60f4b25aa6457067550b4390a8a1e05557a4b5

SHA512
50e9af423f14858802f95fcfc11160cfd5e91a8068047169cc421d586827145051659e99e228f9a160036f5ac399fa0151cde7a4e8a44e22f1ccb4505e5a26d6

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
59KB

MD5
1a971f712644a1541248b85c67c915b7

SHA1
ff2de75846fee0da76ae01019b2ab6362ff0e60e

SHA256
aae4e18b61defc39dca57125bbbe752417b8a167f9399f0b27a671d1f3d1fa1f

SHA512
6f4d36d35b5239a96ee397f1370980a4883de717333509d8e70b03cab0abe02e54bcb6485bc641cd194fbdd32e925245e763275193d6438afdb066702e888948

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
59KB

MD5
197b33c22277c5b31397c3cfd5cb3583

SHA1
de20e98e78f0acf15a16fc50ec6c087368873afd

SHA256
70523f87d2649f67aa0faf7d3f16889186beb8674a24ebad85d56087b8954fe2

SHA512
feebf882e733e20a01904df9b8dcaf783efed58c79d4b8af8c1ec74ff0d2b66fb6f1c66b1886b1decfa66efb7d1c8a0649f5dd3a218fedc1857f5afe30fbe295

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
59KB

MD5
990184fbe7323e95e7933427cff15a2c

SHA1
513fa04cf95ed27c898eaf58fc29e6864339dc6b

SHA256
6b33e2a1f3b1abf1181dc3eed9e6a8db13dfc5331c8915d163291d1c035db838

SHA512
ec9d99f2ae4229d0955224bbc751af7bd5afc3b15711400e8733adb458e330d2f8b9c082f3fd39287ecec8f5e04380d9047180cc3d30926f66fbf373304d221a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
59KB

MD5
9a65949a3574a808167898cb938dbc8c

SHA1
0b22d1bf56a8b822a7753e6356c35c9aa594cc27

SHA256
2c483a777a7df7b73a5edb26eff94f4256af97a8b39002c05b63606593faf23b

SHA512
df5185e71fe57378ed27757969031421d86abadd98003974a13467b548674f5c93ff1c6f222bdbb02ff54a88d986d380748c51af97eef051cdf652bad1d52e2e

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
59KB

MD5
344623a0a2d38224bb297befb097d728

SHA1
a5f66c72c7a5561a83aacc96e8cf6b820af46171

SHA256
acd9e629207961efe61f048b1c0fea60888fb7e3d1850df0ed10d83e9ae0b95b

SHA512
815809960478526fa063cbfec92b0e3f1f3361a6ffc3452cf4e11ac53ab16be9a7418c75726984df3feca5fa5ee92328ae24a0a67dbf647baf0719623dc278ac

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
59KB

MD5
847ebe29aeccd69dd3fae513a789a0f3

SHA1
b3a186624a4f8f23a6ea1e0aad9df3cd760e876d

SHA256
03d95736d45ce5887acc988f67a3c0c42b934a395fe4d991cb18c9c8d98e21ca

SHA512
ee80e53e131a2b5d8d0299fabda7c8ce058e89534b9d6f2afeb2603ac56bd20b718ef190c19731be00c4598065b759f42245d74e5d19cca6668a7d23ca3af450

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
59KB

MD5
a32a12532840ff498e98e45e85850bdc

SHA1
3e2554a8d6936548641138cccec09c179cc331bd

SHA256
7be3edab9462b68791dfd435e7fc75dd34fdf86bb52edefc7efb41335b9d2f1d

SHA512
5c1d7e47bbb2d28bce22a4d31f547d924de862bc99d8bd25f3605462f368f26a8d09414bc6d4084f97ec5583a4e479428b3b148ac4ec8115e71e42bda5c7b21d

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
59KB

MD5
0b966401251e569a536ce85533c735d3

SHA1
7e5b36ee27a29d7ee69e308344601c934744ef75

SHA256
d833a8f05e8f3635dc817b8cec324f6625cc4dd7b9feba8ee9a71f02d64bb8d3

SHA512
ee920aa255a86896a9c6c3baf4c6d178298e76a12695ea6665b5eca54bcf97f60b7b49704b9fec875242aa61b5819a4a8b462489ca918059ea87a7652d3093ee

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
59KB

MD5
8ba4281b556d38461e05cc64fe4afa8f

SHA1
6e00a1b84243c53a120863576db4c7bf133d1c12

SHA256
403f0bf1885c85e3411261fe173a157f354bf4a25ad7fff8d705304b734bd427

SHA512
9b776cd92c60f035215efa08ceeb0be7dcbb4608742d19997625f491de747bdaa5abc7097502542b36bca2f103cca21ce51c1d35a18aa94ce575c6d0822f7b30

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
59KB

MD5
814399292c3a90858585cd56ab1eef14

SHA1
3a6846347ac90610665be5a766d5c12ddbc19a78

SHA256
f02ae943e1b51c2e3ed2798b93107bdcda13295b0ef892a518cd0171ba9e1d6e

SHA512
0b6739cf989aef747024fb162a8a86172d3dbc075e86b663534e546c5988181e6b482c428d98e92fe3dfa24452a3f330aa56fd713b6528bec736104f0681eb9f

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
59KB

MD5
6222f0e859ee7923c57b36ab78b6ba84

SHA1
b3719ed8f696d5e333d7d4d3152ff8b678e2d147

SHA256
7be0dce04dc99fb37fbd9df71b91eecede555823e2c5d6232cc4530051c9bfc4

SHA512
28076c8801a3d09b048be4b8a170c82cf9b7d7c249146ce3d09e49b3d5151df639c4ece86a99496c31b486c3b5eef641b8a072634ff530577b27f77bb4a83f71

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
59KB

MD5
6068cc54206f2de30131e275bec98327

SHA1
a406bb03734b91554da66cbc2441fb318713b2e9

SHA256
be5ba286bc9ce8e3b0a1c197b381b456dac1a9d5b7a5a5ca724b13de317280d1

SHA512
6d0a50246899ff8382054e8e201079151397a2e71959c9a50cf87c9510ce6b3bcc3936eb6f85d3520d183406f142b1b0d8ed892855c117bd6b55df10d1150f89

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
59KB

MD5
2db9bc5bc02a12b4ba514130344c0e5b

SHA1
310cd0ed649ed5d72aa577a444227430a4b11a4c

SHA256
d70ad16a1458fa84868c89ec765f3743c0c82fac9a6d41d0b9055e5dd81e75f1

SHA512
ca71432713414440db1333aa47df55b5fe78956fb1deaf3d569cbdd469e6bca33c81ec2b077dc918072b262715cb5c0b5640e0bf32676ee4d3cd1b494183bc8e

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
59KB

MD5
10a7c619a6655482b2d87068c5df2e7f

SHA1
9464fa0ac3d11d51acb0d3e86c48211e36a0cd88

SHA256
68ae1ecb6363a7fccf567059d1dc19e2e6557d4ee0010a0a4591e466a369d273

SHA512
6901e81d9bd981e94003b22b4aee2e5e0b9078c0158140036574bdb1e09c6f7bc3208829b1d616c4ead7c770961f1dcbb559ad7eca902f787a475abac2868cdd

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
59KB

MD5
ca8f0a113bf8d4065bc103c8b9713055

SHA1
732210db217f7783dbe85c297b1840ac7ddef593

SHA256
da9a03225fc12e0a960490ac0380fe6baa4092ad11212bed57465c29bf011091

SHA512
e51c89a241af8a1b1082c513cbf2ec15aa195dcc659f9b9c29ee4cac801d1acd2cd6c72ab56982b7f484d8e4013bc3c13568f3ecf76ae8e6aa8904051b70807f

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
59KB

MD5
03139c16d784929b73409cc9e0530beb

SHA1
7f47712b6eeb4c936394d820b89b1e4008cd3c90

SHA256
7ae23e79cb6ef1d0783bf587510c21c00b653cfb9322e7c5fa0772bb3974451a

SHA512
8286df92ba896163ca15f3005082d050c5679279001aa7bf5e30f516b300a6935751a8e55d7a7af55677f4e5693e11046877871ba50a9575de5d3d7933b3b499

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
59KB

MD5
869d30f9478bdf2adae6e29a307ead0a

SHA1
77d1950ca2c9aa7e36c6d909a266ee10e629b082

SHA256
5dc76c2f68944cd6ecf22401ab2644eae3dfce1d4654129b1d2c8219267ae4f3

SHA512
cf2b62a0d04b88b073496ca8887642efa8dccdffda6090ac8d73c7a051dc9d8c52f09b75de119e34dd5ac40ab14d4dd49b066d89454043d74e4253b015834478

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
59KB

MD5
c00f675947a88819e6af34a2970e50c7

SHA1
433310a8d9e6933fae90ccf6f72f113695d74375

SHA256
f570018fef2148c8a96a6f235f94ff536e2b803b75d8bff627ed7a3249cea28d

SHA512
86827aed0177050f0fa4ffa56c1a6db9750a4732b48de656e6d51abb2856db48cb397047cdcac824e35879de97e6e36993a32c34e8301a5dc990586699734865

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
59KB

MD5
153aede51fe210dcdc2dbcd8d2f15d00

SHA1
b565ecf2f7f8b98bad8510e4f7e0f256898057b7

SHA256
d5cc70d7f745f3c926c174a939ae9b536d026285b95f049e297eb69bd19adf1a

SHA512
f347e7ead02dd5c04d6526002a6a4d411f1aa7ee3b527a7e7f611cebe5cb787b70bed09ff380fd945cfc0754eceabab715b4ff31ad6524d79be3ca358ad1642f

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
59KB

MD5
a8dac785ab2238996299adbd7135457a

SHA1
be9b28a380cc3672cfc18cc462e90526e8614b33

SHA256
e85023ece194ddaa89212cecf5247122dec1ce85c9084796a873ac496d1e2fcf

SHA512
8a289a423267ed63f7e033c889c8e1e5987f6111a1e94bae7f2b43eb9619e33dfc0fcc87ce3356c4803da3a9fefd2a79a0fe811ed2d6722ae8cb59b0263d6818

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
59KB

MD5
028129da9672440e927b1355f0bc6060

SHA1
9945f8220e29fdead9c7be2b9419c53bc350ddfb

SHA256
c74067e2fe04b109ced5f542bf4a119482e48bec876d33d455e4249cd262f482

SHA512
90a2832b47d1f1abb1c68e0ed2051fd3618c78a2d90ed20feea34ad76e8ec08023ceb3e7067a7070253aaff69708478c20ea7625214877e89e3030d8e87c1e7a

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
59KB

MD5
d4e913ef4530332a51967b54e004135c

SHA1
befd42975219b1b24cf78327090b1256b0d174fb

SHA256
bfe163e9cf652009fbcba79ceb215acf3468b61ac46871b718c87b4d97f22e9e

SHA512
7e992ccf7b6f64c9d6a132036e72a05ae7fe5fefe9719262e52f4d0a8d8c5b17b5a4245bafa8c79d943eed12abaef442957c6587236cbcb5ca306cd69475bd28

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
59KB

MD5
70465eede06995e83faf1176dcd677b5

SHA1
f53d5f47b65fbdae6bd50e7caa3a9bd6389e3da4

SHA256
6f144e25e6b9a352d82de2fe231e37970e75c833a8336e32b6a37f6b9003f0cf

SHA512
b409fd8ef1fa996aa3e83f4949824dce5a4a08d9a18f0a5060d2a9b753a8e8b2592f6758947b996c11a7299cfe7fb368e92bcf170e2eb0b8f8c01d02d75ded21

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
59KB

MD5
7bf85f31674dc23ef239d2f9ea8077ed

SHA1
353c306ec5ba5c3ea24e73779fbf3e434414c4e0

SHA256
cf26f3105d4cf5d1e438e93fac0b0c50431609222ca5e0f485399784d760714c

SHA512
cb99c51f63e76f95f635f616cc963b2b1f3ee9102b8340605fd4b9c8b6ee9a9b5a9f387e5588dddbd6d01123306b447753653ab69ac1d7c2cc2d4bc7163f0bcf

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
59KB

MD5
9a50c909a69f57d7aa1bbbd694b593b7

SHA1
6c4c3b45e3b8e77eba86a21a6bbf09f28176e284

SHA256
ef4a6988b3ff2fd2d48ca975013f4d4083be52e676273d2df17ffea622428d8c

SHA512
08ac76f800e0f772247471a7290d5bb61d0b1661a64730b14758e5804b4fd9db429ad505ec29847d0918d964349b57169b7d4b40c1f98f1a0587a52f0c0a3057

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
59KB

MD5
d02a0dd07fbcd4e0411f81f92c71e9c4

SHA1
263ef6a60b42875f8893d73d0ee0962e5ca76b51

SHA256
07fdf4a4a8dd58f97c16ef36cd462c6bdb2b1d501e904c6697ff6462ff9dcae5

SHA512
f12ef44fa5fcd071399552486aacccaea542ae758793c6ab119fe8ffafc3c5f65b2f94af0530a940d7530562ed680200b22efa48c73027e0a8b535cbdca6ed42

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
59KB

MD5
776b0374541d0bb90b08f01a6f841462

SHA1
e653f04a41832cae2bc57b3ae8ba1260565a83dd

SHA256
26c19915722e1e5cde6e66752d22225792daaf6f016203c461d688be1f4f336f

SHA512
8ca47cb1276efafc427fb244955f7a203d817b2b9e44939544bd1c095a1997e46bcd9ca9374911c2a473df269c86d199d5e503a407b0ece1c179362bb16274b3

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
59KB

MD5
89b07821db3a24020f8f1fdabe57d1ed

SHA1
456fbfda502713cb04a06b27222b0e6d169aa962

SHA256
62107f2698f960f90e833ffdd13f020de842e4c53b7be74b0cb3f342188108f8

SHA512
f99c41eedd7241bb3cf4341093bcaa76dc66815f596dc5c7070bf5fbc294e0b44156408b8bb2abf27636b2c7fc77b093b7293cd361f266fdcfe699ca75a1ed2f

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
59KB

MD5
83021580c98496259752b074bcec3355

SHA1
5a76836c847f8102716f68c1a590d4b239b5a4a5

SHA256
75f008d738c8bce287381dce95a03ece7e1bc778f3b321ad4ea6bc7a0c7acc44

SHA512
2d28114f627f41f88ca964f619b4b0ba25fb1aff9ea37a07637c040b997451c33c36a3e7b1559be156c33882143f1a148046ad39a0634b3d7432da19ae55fad9

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
59KB

MD5
ab63d7af1f02dd83960eec05802f7700

SHA1
c93ca7a8aa53537b1dcb4be8df35d18588f69f51

SHA256
61b2349fe79a600c44a141f9c913c3c76b59493877583d378a71ff8bab36035e

SHA512
2d9f91ba38d949c7e4b50f5ea33078fe9ea1c084b51e465b075f8f719288ad5332d7fffccc63aaad2ff7f5a3e50ff2984d77d5d2f8507490814e3fa61329fa8b

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
59KB

MD5
c4c67f14e6cbf9f936571530c1f5ecc6

SHA1
ab88e87e2a5cb61fb5ceb8bf252b938bc06a7e33

SHA256
eb7b6b013802cadb62dbf98a9f553b44249bd39b69a8daa441cd8a910418701a

SHA512
060b05c571ea778140480a2857df4ebc474fe4edf714f643f65b6ff2cf35ceefcc1eb83fcc5b96b4121b456264c56969fa974e2ef9ab89bc859412858dc0a1cb

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
59KB

MD5
e7f461f46526578c60c5ddeffd3891a8

SHA1
20ad875dc2e7649f4c82264d964a9194e79d2573

SHA256
2ddc9dbeaec92f06fa01329347d36652195f759e09ad1e2a8ad98a6d3d17d658

SHA512
8b15ed881298ae9323686527e50f907f7436c028e77dfd941695afc9a87061320d17d406afc9194e8dffdf742fcb00da3545126830b54860c360d22872ef38d4

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
59KB

MD5
b03974d848a88f3cb53753b7a65e3b93

SHA1
5981fe9c2c47a04e2156f147deb84b3547321fbf

SHA256
68ae9fb9d1455b3b1cdd6f617947cd08f20edd4e1e67619066085d35cf66507b

SHA512
24c2daf0fabc8cab2655ad26828621be1008908b3201fc64d7c54bbe1f9fb89fc449efe2497518e50fb21a21f322d807f5ff9fe199a1f9fe4e11c463e7c3c828

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
59KB

MD5
94da15b2a677255fad1180e7d319d207

SHA1
424572974aa29b7d520dba56a7dc1a80db524ee7

SHA256
aa01972e07f378e8f92418262ff7261d7fc1895e88e8f22d092fcff9227923da

SHA512
1081de0bcc487840dd745c44fef00e118b18e726937122dfd062d58bf58d7fdd2d76068519323ffc79e0cb0199e42a1c658203081cd6eedb360692e5b81cfa44

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
59KB

MD5
4acea900932835e24e542a0431f7cf3d

SHA1
d33190bd008392320555f5787184708ffee11154

SHA256
7e998d5243aa50c7e45811e0cfc4dede0f280e1e3a0b13ebea9d932c4628b59e

SHA512
af3b6f3de1eface712d3c7f15acd6998549ff110b20146f5c5ec464704eae792e9b3ed2d11626816790e79a6c432080b0a0df0ed28373e4183cf95972037f644

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
59KB

MD5
a47d2f9ebe4b006c79a0a9efe9b57b11

SHA1
4a3ee5bf647a0e53f301f587095818859f931caf

SHA256
99e09968a1732215a603aae00b922ea077f56612428506c4213a8f71efe7f466

SHA512
c4ca8b40a595ab4f88f92b69255c3c8cdaa8fa791ec5508702fed63206bcb276709af4c94ec86e2dc39d085d0fe863e2d49768593a114bac51843ca22873aeea

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
59KB

MD5
947f5f7c91ef605cb1a2773db58fc3bd

SHA1
80a75800aa9f7c293f45a48aaee113ed79c366de

SHA256
57f4beb898f7f5498e2fd2c6f17ef9ce73859b9b11103772dbfd961b46a6adfa

SHA512
bfe3a176c62560124989c0c4df2b008a8ba43cc6cc82154322d222baddcb90988f3b4b9b836a0749d09ea0ab8f857961b9eced86543efd80f60b54dc4d42338d

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
59KB

MD5
f022043902794e7661d7ef59888120e9

SHA1
ef842dfde449ed702d884bf369dcce2edd0d5e15

SHA256
d21c08cfc305460c470dd251492769e7afae52f3d523ca2c354f84a27d84a165

SHA512
c267d25c8851b69ab1fa7b112ad5cd9f82b5e65a8f2dfaef3d277c0627089a457dfc6a34235579bcf33048d02119e88c964e8a1cef0fbe38f1c0a301b3cf2fd7

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
59KB

MD5
6a47bd24909673c631d45b3755e25959

SHA1
586a3edde46d30f1a29a82c96b373782a871f958

SHA256
533b98206e04d042d1cc439976f0a393bf49f2810c745fca0d8c6226532df711

SHA512
a05401292fbf1db249fa2ae8dd27d959fb6d4e0f0ef52951574d9811a7bc87926c9e076e0c9a461166651a1fba766786c64338d4a2dab39e03d5a82e16c13997

Download Submit
memory/32-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/244-236-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/468-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/548-470-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/548-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1088-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1088-464-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1116-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1116-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1120-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1172-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-469-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1252-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1280-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1280-468-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1508-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1508-463-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-460-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2056-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2060-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2112-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2120-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2120-478-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2216-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2400-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2580-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2580-456-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2676-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2900-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-462-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3000-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-473-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3204-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3204-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3220-474-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3220-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3488-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3492-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3560-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-453-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-471-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3672-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3672-475-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3944-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3944-465-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4060-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4072-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4104-466-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4104-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4152-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4152-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4196-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4376-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4376-450-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4388-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4388-479-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4524-476-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4524-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4528-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4528-472-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4616-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4616-451-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4660-477-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4660-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4728-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4816-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4816-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4832-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4836-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4836-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4852-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4896-457-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4896-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4904-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-458-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5032-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5064-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5072-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5104-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads