berbew | 8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
Size

96KB
MD5

931921686f75ab346dbbf39488851ae1
SHA1

7a993cc4d65cff150ae9c24fae1135cd90f1b574
SHA256

8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313
SHA512

70637f72cc021d50aa49ce1ca0cdd765cb310464579e372c59e2666dca386270b5bd4b3f7184e58428908bc55d69801a42b8040e588996005ae11428ded060ef
SSDEEP

1536:5HQRFlZ6ztHjsjYyP2VzGdsCdlc4vVVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhg:CRN6ztDsjYC2REo4tVqZ2fQkbn1vVAv7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 62 IoCs

pid	Process
1204	Pqpgdfnp.exe
1608	Pflplnlg.exe
4440	Pncgmkmj.exe
3988	Pqbdjfln.exe
1004	Pgllfp32.exe
4576	Pmidog32.exe
3008	Pcbmka32.exe
3924	Pjmehkqk.exe
4184	Qqfmde32.exe
3416	Qceiaa32.exe
1648	Qjoankoi.exe
4080	Qqijje32.exe
3468	Ajanck32.exe
5076	Afhohlbj.exe
4480	Aqncedbp.exe
1700	Aclpap32.exe
3640	Amddjegd.exe
2680	Afmhck32.exe
5100	Amgapeea.exe
4236	Acqimo32.exe
1408	Ajkaii32.exe
1060	Aadifclh.exe
2108	Agoabn32.exe
3136	Bmkjkd32.exe
1156	Bcebhoii.exe
2976	Bfdodjhm.exe
832	Bmngqdpj.exe
4916	Baicac32.exe
700	Bgcknmop.exe
3436	Bmpcfdmg.exe
4700	Beglgani.exe
1576	Beihma32.exe
3840	Bnbmefbg.exe
1892	Bmemac32.exe
2576	Chjaol32.exe
2136	Cndikf32.exe
3572	Cabfga32.exe
4596	Chmndlge.exe
1448	Cjkjpgfi.exe
4172	Ceqnmpfo.exe
2156	Chokikeb.exe
5056	Cjmgfgdf.exe
4404	Chagok32.exe
2516	Cnkplejl.exe
2732	Cmnpgb32.exe
3628	Cffdpghg.exe
1116	Dhfajjoj.exe
2252	Dopigd32.exe
2904	Dopigd32.exe
980	Dhhnpjmh.exe
1428	Dobfld32.exe
3052	Delnin32.exe
552	Dkifae32.exe
716	Dmgbnq32.exe
4584	Deokon32.exe
2488	Ddakjkqi.exe
3956	Dfpgffpm.exe
116	Dogogcpo.exe
4428	Daekdooc.exe
4984	Dddhpjof.exe
3904	Dknpmdfc.exe
1176	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3168	1176	WerFault.exe	143

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1204	2560	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe	82
PID 2560 wrote to memory of 1204	2560	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe	82
PID 2560 wrote to memory of 1204	2560	8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe	82
PID 1204 wrote to memory of 1608	1204	Pqpgdfnp.exe	83
PID 1204 wrote to memory of 1608	1204	Pqpgdfnp.exe	83
PID 1204 wrote to memory of 1608	1204	Pqpgdfnp.exe	83
PID 1608 wrote to memory of 4440	1608	Pflplnlg.exe	84
PID 1608 wrote to memory of 4440	1608	Pflplnlg.exe	84
PID 1608 wrote to memory of 4440	1608	Pflplnlg.exe	84
PID 4440 wrote to memory of 3988	4440	Pncgmkmj.exe	85
PID 4440 wrote to memory of 3988	4440	Pncgmkmj.exe	85
PID 4440 wrote to memory of 3988	4440	Pncgmkmj.exe	85
PID 3988 wrote to memory of 1004	3988	Pqbdjfln.exe	86
PID 3988 wrote to memory of 1004	3988	Pqbdjfln.exe	86
PID 3988 wrote to memory of 1004	3988	Pqbdjfln.exe	86
PID 1004 wrote to memory of 4576	1004	Pgllfp32.exe	87
PID 1004 wrote to memory of 4576	1004	Pgllfp32.exe	87
PID 1004 wrote to memory of 4576	1004	Pgllfp32.exe	87
PID 4576 wrote to memory of 3008	4576	Pmidog32.exe	88
PID 4576 wrote to memory of 3008	4576	Pmidog32.exe	88
PID 4576 wrote to memory of 3008	4576	Pmidog32.exe	88
PID 3008 wrote to memory of 3924	3008	Pcbmka32.exe	89
PID 3008 wrote to memory of 3924	3008	Pcbmka32.exe	89
PID 3008 wrote to memory of 3924	3008	Pcbmka32.exe	89
PID 3924 wrote to memory of 4184	3924	Pjmehkqk.exe	90
PID 3924 wrote to memory of 4184	3924	Pjmehkqk.exe	90
PID 3924 wrote to memory of 4184	3924	Pjmehkqk.exe	90
PID 4184 wrote to memory of 3416	4184	Qqfmde32.exe	91
PID 4184 wrote to memory of 3416	4184	Qqfmde32.exe	91
PID 4184 wrote to memory of 3416	4184	Qqfmde32.exe	91
PID 3416 wrote to memory of 1648	3416	Qceiaa32.exe	92
PID 3416 wrote to memory of 1648	3416	Qceiaa32.exe	92
PID 3416 wrote to memory of 1648	3416	Qceiaa32.exe	92
PID 1648 wrote to memory of 4080	1648	Qjoankoi.exe	93
PID 1648 wrote to memory of 4080	1648	Qjoankoi.exe	93
PID 1648 wrote to memory of 4080	1648	Qjoankoi.exe	93
PID 4080 wrote to memory of 3468	4080	Qqijje32.exe	94
PID 4080 wrote to memory of 3468	4080	Qqijje32.exe	94
PID 4080 wrote to memory of 3468	4080	Qqijje32.exe	94
PID 3468 wrote to memory of 5076	3468	Ajanck32.exe	95
PID 3468 wrote to memory of 5076	3468	Ajanck32.exe	95
PID 3468 wrote to memory of 5076	3468	Ajanck32.exe	95
PID 5076 wrote to memory of 4480	5076	Afhohlbj.exe	96
PID 5076 wrote to memory of 4480	5076	Afhohlbj.exe	96
PID 5076 wrote to memory of 4480	5076	Afhohlbj.exe	96
PID 4480 wrote to memory of 1700	4480	Aqncedbp.exe	97
PID 4480 wrote to memory of 1700	4480	Aqncedbp.exe	97
PID 4480 wrote to memory of 1700	4480	Aqncedbp.exe	97
PID 1700 wrote to memory of 3640	1700	Aclpap32.exe	98
PID 1700 wrote to memory of 3640	1700	Aclpap32.exe	98
PID 1700 wrote to memory of 3640	1700	Aclpap32.exe	98
PID 3640 wrote to memory of 2680	3640	Amddjegd.exe	99
PID 3640 wrote to memory of 2680	3640	Amddjegd.exe	99
PID 3640 wrote to memory of 2680	3640	Amddjegd.exe	99
PID 2680 wrote to memory of 5100	2680	Afmhck32.exe	100
PID 2680 wrote to memory of 5100	2680	Afmhck32.exe	100
PID 2680 wrote to memory of 5100	2680	Afmhck32.exe	100
PID 5100 wrote to memory of 4236	5100	Amgapeea.exe	101
PID 5100 wrote to memory of 4236	5100	Amgapeea.exe	101
PID 5100 wrote to memory of 4236	5100	Amgapeea.exe	101
PID 4236 wrote to memory of 1408	4236	Acqimo32.exe	102
PID 4236 wrote to memory of 1408	4236	Acqimo32.exe	102
PID 4236 wrote to memory of 1408	4236	Acqimo32.exe	102
PID 1408 wrote to memory of 1060	1408	Ajkaii32.exe	103

C:\Users\Admin\AppData\Local\Temp\8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe
"C:\Users\Admin\AppData\Local\Temp\8fe55c21fca3d81535ffc40753705e1d59131ac7c3aa0cc24b73566973c0a313.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\Pqpgdfnp.exe
  C:\Windows\system32\Pqpgdfnp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\Pflplnlg.exe
    C:\Windows\system32\Pflplnlg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\Pncgmkmj.exe
      C:\Windows\system32\Pncgmkmj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 216
        64⤵
        Program crash
        
        PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1176 -ip 1176
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
96KB

MD5
80e351891ad0cc02d853c2ced6533be7

SHA1
4d0336aa68d477cb506a2c756274dd67a90150d5

SHA256
6623b8a16915f0795aaca78067aa81cf223bf6b8cc8f22b69bc7f8a5205c74fc

SHA512
aabdacfa68f511590ee9a4f2877083f224572e10785a621132f9d8308b28f19d462b90a92f3ec92e283a5820a949856ffef63c75d4fbe08edab0af77e01d3bda

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
70e927477e78c41c5a2386d57ab08fee

SHA1
3174874601b4fcf93a15e28b104e5deb1a8d984a

SHA256
24d1deb1a18bf9bd85b766e499dbf6ec1f183c1a97b024003af2ec8d410dd408

SHA512
104de4f0baa010bec5dd9c9530f4080adf63d53239cbadfe3860aaafd7065c01b665a7c07820c5bd3b8372a80ea11242697ab081f5b294c8d8cc678095e4afcd

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
96KB

MD5
9f9202f651a9dc5f580424a9640c817f

SHA1
dccfd8d5b60bc72f34578a7a8d7f92f2c33d667f

SHA256
a517762cf0c6cb40fbd0d3c57e9088120a872ce044f906680412940461b6f82d

SHA512
e375f3ac6d4506b2715e89e9616c63e22ef19afce9513a7daa0dd54336de1f3bd4966ff60dd24568963f3f4a32846416f991448ed30de8e053ad9e68c9dad975

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
96KB

MD5
60c8720e7f4484afbda8fcdf481a822d

SHA1
2a476a6697120bf6e49b2b162e249f935d0750e9

SHA256
873e90667c0a42d0fa241645665e1f7f9507f5b55f62765b4f4403b40575c0bd

SHA512
8e073e809af476ee11f81a6c5c9f051b20d3b1a7dad3f6a4640987225508348849125d786989a93756c00ade68d45bb7a870067134303a873f18dbde3c602240

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
7fce8b351a42820cd65428f42df105cd

SHA1
16a6131a4d74e3c6254ccbc8d566006318582227

SHA256
a9db164dd2ac3ff0a18685a78d0f1e7c35e239eb0336767d76732d913b38ac3c

SHA512
d2651a2884d28f3be682f2b34b55e8e62953e27417ed817a1eec8220914c3f1aeefb6f1e17e6e39280a08c9917603ecdc887445edd54aea6ab0d94ff3a06debc

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
4bd746a95ebd1a84c15d59183b05aed0

SHA1
9b91e150869aae1094ec4a18b67a607af1a9e923

SHA256
7ead6991466233b68e7ac3888e660987200d43e56cfecac622e1325626bd5bde

SHA512
5e692c2473ed28aef52c404bd5f8338b4fc3688e6c44c71e3164411c275d95b8076067ef12f3018610f7e00f54045297455f7543b36602efe4e44cf7a595780d

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
96KB

MD5
10593f1238c42cef352eb0f7588f7f77

SHA1
3f004ba8a8868e33707a7065cdd9b2518f65431e

SHA256
87db447e135232620275cc86ce4e7df582f83b060938d4f0e78590160f8d3f5f

SHA512
4fb9d618d25e179350b3fc68f6027cdc08686aa4b62bc940053ebd0c170bc9e4b1dee5bce0f1e674c629ac9dc6a811373a63748e156bf9f54b8245f5f4a1fe53

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
6ef8df3d3294b84f8410b211c9b8b3f0

SHA1
00010dedcfb28fcb3ef2f110015003b5307053a7

SHA256
304fb1f203a7755616227ccce9d68b832098505683f92fa227c688184c9b89a1

SHA512
a325807570a8721c8e55f8388806de277487f0e76f7ebd6cc4b582bcc1c8ea53b16cd2bd2946a01a526a840dbacb3f54b360d66dd42739b132b34008778061c3

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
9c4240427a15ed8894e589745811ecb9

SHA1
2acef9f517556159f75bb1a5de544691e0ed1e1c

SHA256
9682d339fb3ea2cb9bd50d9a745a2621a2833b48080fc81b178fd794fc490a2a

SHA512
b406a00de4eda1beb8ddd1e110a7f3c5bf2ec1b9cddd9299167aee6b565d34f83ee88d5a6804ab728e857afa1107118cca841a6bb0e00d9f77d1f54551fcb7a6

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
ed7365b343fa3ee3857094cf5140294e

SHA1
629a79adcc1f5d9898b455bbd159a01b5aea4fb5

SHA256
a484a16c1168da67d5ce2057c73259e20907bc4b3491f20b81b04c6455ee1ca5

SHA512
6b4955454d3510cdcb67731bcc37883d19bc653b4c500c5df2baf2c32dd8e6eccb90ff4815bb67486561647cfea9ff4670a37770475f40631aceef0e93f23565

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
4f7ed1eb778afecd9ad545503cbdcb88

SHA1
4cb2eba9aed6047bcbf0a3b3b572913dbe950c54

SHA256
d8a826dc52380e47442d10b545b05fe78456695b0c2b3573769421b7636598f8

SHA512
efd6219c7f31d557fe3f5a33a756f30223675bfdde7d194040487ee21c48e5d570813dcacd7fe903d2fb3f8255ab7849c4b19cf0b6e45008f3ac688f1dfbecb7

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
96KB

MD5
44f6bedc83024905136654c42c131d6a

SHA1
1e53aa79827ce62de54dcaba9f88bc7f2ed6496d

SHA256
862e528e5c7186d5fe89b99b6276213cd9850d034bd96c6dec5b77b148fb68b3

SHA512
5493a4a3b40679b422ec038288dc1352200879bfc731b9220da2f0af95ac5ff548940e476fe0b8c8e0a0c765ade915073b33b2c325ca9849a63755db175dce79

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
25986479fb1054da74399181ac5340d1

SHA1
377cf71b322ec4c5c93a696249e2d476b1f226a8

SHA256
2155fd6a6ea05a9fabb66deb4a0e0fcfe7c2cada998630a67c0ae2f32ed6240e

SHA512
cccc1cfb450f75c2209a04d84c0d4d14d7a48a56b9401b11ed97e5f7767144827729d6e089ef30221b881f5853a7819b4255e67345441a8ac034dd878c987883

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
f5ca05efea0f77784036c84368ec4648

SHA1
3de5e117cc3ffa7ac1ccdf9d54ed0a16be5dcfb9

SHA256
0d217ea4dcf28722540d379439728647ae2cdf4c1f0bb1a4dcde9d8e824efb35

SHA512
95f83a9d3c6aa71340ce7cd2e96b3137fc08eaacb265900d446f9c81f28edbc5bde4ef2e5f766bbe477613640c46e5ed96e715225ab5a413c4fe4cd4689c4c6e

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
3f655660f354b40860887cb9e152daa5

SHA1
da44a1e5ea3f40d03f77048e9eb41e826bff9a0c

SHA256
12cca5141f943e1c6edaecbd3565e19170c494985b322a9c8ec49ecf456849aa

SHA512
da9f834bdc1e9471621acb88f77a47627cb5088827968a304848420d90cd7f1cac40b66ea2a3e4be352b51ba9071915e8e1caa793e0eb5c7b963afdd902c5ee9

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
1cd7c99de40db6b239410573a7e34821

SHA1
e987189a78d03f9cd46fef7fbf7ad48f7220d35d

SHA256
b3677e1b74f2421eac6c7c4c5310c3adeec4cb148cb496f3bdf2d9105235abed

SHA512
c448bbe769454a77f25dccf7cbf0eea39e355cdccd90066e5516d4436d189d0d1692dc82290a91927dea9d09c7072f83a822ef779ce207822152f34f7259bc81

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
066ee26620534fbf7358d19f5119c7e3

SHA1
12ba8970b9496c16ea5b60a7751216d0615eccd2

SHA256
60ad5943b09cf500924d728e18ec9d56e55edf1560114fe9c98f30c9b919b067

SHA512
26d1dcab38fee9f4bee832d7264e1786d82c111a7c6567eede2ec8a226c692e3a842f0ddfca0b9d0ba11c4385e98fa222ec403864c977bcc277b33e90cb8a038

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
41f52bb6089df6f9d3850a359a9993ea

SHA1
eb41fdc352d4e6e9b8460b1e79caeb7cea2e40d3

SHA256
e797fa523877d7c096a8ce3c427988bddaaf8a3aac1fe036a77ec9e960df9731

SHA512
79cd676feaa4481741343d119b8ffb2241977117327241ffb10a478264a424351fee981bd0c02927fc722ee54236e5092842d65e948bc3c36d8a6a9ad4c1200f

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
203614bab96b6a96a02234aa364ea84b

SHA1
26af9e3b7e15b75263be43f8c2126ec3cfc3ec81

SHA256
9c6ab4336127f0d96d2761531b9feaddfddeb08fc0616678d891bd04b247a2de

SHA512
a20e9d51f68bc13f34d8ac3d130e1d078b1e87cbf2eac15cc0d513c7a5b918c1120e487fa90da55b39ea1e0a96f73c73231fad63136f29f9818f2e51b5204f15

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
37795b66623e22d7e13f083d4ef2fa64

SHA1
6cde7a47609fe8414c1456bbf6dad8492b03fb69

SHA256
341995d7d9313ba4cf37d561e308b1f36d0fc9b785fb5716010653a9be4e98ff

SHA512
63d0e616655d132615717dd67854d0954002b277ebf8b8dd2aef11e5c6f67921b83216f7a775b40e858ebff7511248841b04a7adfe0b3be1eb21d15b64980ccd

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
b47dccf29b4201dca5cfb14fb54623f9

SHA1
08628b7b93e85bf93d341089d5ef37b9b05e512f

SHA256
b5a06bbaf465e4fc2238a75de9735cfcf834a2790ed8d8525e134a3e1b238b29

SHA512
768f978871c7d9cd7dac45643e4250b56babf0bd0f877286cd8545cf04f8d2f0ad29337f46215686615bd06d43361bf1a5bbcce0e0e7428ae0ef9b059a0edb45

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
4e532e0f2afe53f53a75833a8e240a02

SHA1
efaa8bfb66f39f0589f75690acfb9ea99abe9e44

SHA256
1f8cf466519ae8a57b07ea83ecc4ba5ec78d8382cdaba9b6cfbd4199651851a3

SHA512
3932b2ebf1ef80e5e017d92b356d926e8183badebbed676d323fa4ba0619d249310c34574a135a8de49b493b5f9f33e0c9a5bce37516c0241bb94505d0ae7bd1

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
e466d029b440e7580d78ba1982593c78

SHA1
6d2810e015084e0aa02ae1eb07ffeffd0028fefe

SHA256
7eaeb23512a24a8c7e78a64267d0d7ec4749e01c7938dfa5af53213792e98e15

SHA512
f55d9da4dd38dc59615874fe7c38d622affacd139c04df97520ecb0829198a8c918ef7e28be2e6bcaf2ae538001f45cf341d7f0c733d8a728cc3849e04c2e2f1

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
96KB

MD5
1e50ca62168fab602f207d9fd4f58fda

SHA1
a3bcb085178a680391d25f2b4c6a2c0ebe12439f

SHA256
4612a3bfe1cb54a34410919631b802d83307fa8fb4de673b3ea0463ec87d9b01

SHA512
644d7ef78c0d57fa6e6b9d460c3a04c8098d06aafba4c9b3410e4ce2d74a99387f3c66fc36b4f163e353a5608ee330fbbc27729cc7ead3b50904057e7e682356

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
e2705b7828946430c9b7416be7672307

SHA1
32108483488f47f0893a5467661286b176814ab2

SHA256
554e2eff0bc3ec00f8be9aeff6b8adcdb10c6c79a7b5dbb32428737a23b00043

SHA512
58189b5600244b7d69c27b8861c44b46ccfc67c11a8574606dcb193712ebb7a9cec5037e7ef5d9929e1ed105fca2d08692ad0ce13a6cd9277354e4cf65a2892e

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
ae0eb54024e2691ab405f814dc135414

SHA1
f94b3002dfb9c5d981d7309be6fa15cc238b795f

SHA256
f73d7406d5463300903ab8d9327cc647f38f11aff194df7420f573afa31dd22d

SHA512
8191b75118dfd5766d34c05055f1355489eddd720c64ef749f9e5abfc431847177122f682c1934e86ee41ed18649e65c98022a0ef83c322287fc82e7c262dd64

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
6cafa865e88f363df9e9807243265f0c

SHA1
60d24cab05d1a001f1b6b16aabc6326769fc14cb

SHA256
1e7103afc00673b09cae0bbc16a2d7e4d1b78571722b1e4f6a58cd1811af3952

SHA512
c72630836e8f11cad0a3014a2121a7092f21b853b592e17a55a33dd771667e07768b0d32d4df8fa25c4a6c2a3bd65f0db5c1b3b41e13bb1910a3b312ce0ffad2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
ff5bc54887eb0116c1d4a9a5d31412ad

SHA1
62488d139d40019bb5f08395fbcd6288eb2175b4

SHA256
1934788d5fbd45f3ab924c1b05e0b583b5c6695867d2e023cbe569b7cc1f88c6

SHA512
713477cb8a09c68c9d20a78cb0fea2c88b6097a464986bba1520e8702be02d27a8878a05080009405d6429b7a5be9f87a16c0c4e3378b2ee1e8a208e51a09766

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
7340eb6253caec677398a4b2a27175a1

SHA1
856b098c0d376f619b69f425c135b41478f49d69

SHA256
684edc888f89bf1d06e42c60ff8dd4f0e452c3d27c2f7c0522967b4642b35c4d

SHA512
99e310cd085b56e8c412b73b0813130807d53bdeec67962b0d04d74b1b2190b1f453fc0b0b71ff8258f26b290f86e5a2b8e886c54eeb388ef6c968d2273d4193

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
43ec9312e69c12da0a86d0dd461630d1

SHA1
d23029e4371635c5ebff5500d78cb07fbe97d252

SHA256
2ba245652c54af7d527e4b177b8b94ad03d6d0aa979867f8386db8cfc3c5a452

SHA512
7c59b5f6073f41a865a74995d1509b17f0f6b77a6715d0e3f41c0a5876c7e9279df09e22ed571f6c3f704c2e040667d182b0663f61fd26928cbdba9db6a78ee4

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
73c2c0ab5e0b6cc7fa4f962496c8d42c

SHA1
7b29d838220e00d2f565b9af6366d0cda5e536fd

SHA256
27a9d299e1994ba7fb8d8ab1d14e65fffa0f9b04e7cac794de461e0d40349659

SHA512
8c789961255d2ce884b14256711288161eb2554ce14507a94b56260f852ff694e047035675ca846e719a4d3c81b7445f0ffda8592dd6a9e01d4609b00efb5c53

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
ed9c3036de7d09bd16a6286ba1fec5bd

SHA1
e64e7b950d6d9a7cac143a1b539fe49204ee7c0e

SHA256
a27c810af5dd34caf914298b31f4563720a3f724a7304eea993f26358984d99a

SHA512
11c35551432c94fcfefb7a64318929f3db8ded7ab1272152dea81c82662796d6cfde325142a4b76b57b3fa57cc49dfe1d4d379031faa4c8a4f324777f9208205

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
1eb2f42f356cc8dff7dad7befea23a3a

SHA1
ec301b69518b021015bcd4104409eb431f381c4d

SHA256
9eb6c1edbfdbdab5a3c6d711637f0c6e0d0f30f729fe51a34a6a6d3507d0c507

SHA512
50c9878fe58b81c8208f0c195599fb922e236166c53ffff443a5db759ff85e8a888897fa1f60141a4a0890d8429cc0a8cb818a1a8c9c72be5411da0bd49ed1e4

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
96KB

MD5
80fac1035e5ef8e1a2e2bd0f4e91cda0

SHA1
0b71c2bbdf3b6c316d693335fbbced1c12b3394c

SHA256
66de7f64de2cddcc4637e81c388acb239207bf94bc473e7ee261f10b59cea8c0

SHA512
5e4a9519081a043d0a853c6a082fa80d2cbd73defb93ae99a565adee33ea023045992957c563ad2b1a01eb21b54a5341d45d1b1e0c1ca52a40a54ac17808927f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
ba7a47efb1af6d06693960cbab862ddd

SHA1
1d607321e365669a1e7341fa6ff8f10553a20574

SHA256
6ce7aa7055cc0c79db70c1a4254aef57765296850279df6f96f23c19c7e0c314

SHA512
c652f334d239fa2b9279d2d98a9d59928f47052626a15dcde85c1806a89b2d310bd4a45305d146976f4ba08f8c54dfcf9e896115a5c0ab0c311dc99c31a614eb

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
96KB

MD5
2085db83b8295b121b1fdc1668699ebb

SHA1
01b9297512599d92c7149da0a58052f258568ce7

SHA256
9c7a02f0eaf69dced625cf5afbefa3d1d2551fc69a36e9ab2096644839a2dc49

SHA512
db762357790f74e30743257ce504336da2dcab7774f0829e7c61fb6f9afc1cf2d46cf88bd9a6fc8d6afde9f13b4c1f3c00f25e4fe49e2679e7548fae8cbc6c0f

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
af2f5c13d092764157cf5fc455b58d5a

SHA1
8ccb01c1eb0f65e153aab8edc6d9ce3b9163157f

SHA256
8d2e008005d8d1fe035d4d51f1ec3ae088e6b46e783c9bcc564b8535170b7e32

SHA512
d660bd3c553843ebc727cd92bc5f45ed5f2b613958bc21464cd369174b4adfedac1bf68ec48145e9652df4797471a3e5da41d93724b45d893f5a41d9066a2ce3

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
49f01fd90a8e25853df83b1ffd429264

SHA1
c36758bc04ccb2ee310cbcda333da00de66a9423

SHA256
97a37beafc182467469405043c1ef1e0a3d63060cefb640b5a78c23cf00ec367

SHA512
a3370e8b793e8668fb9e373d65a7c698df1b632f1bf3932d2f6ac7e12f61289f427d316463cbc47547901e855aaec477ba11e8c8f47202f0aba9e4b94a2a311f

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
01daee31dbc253813f4de6379d99e6c2

SHA1
060f3321ed34c8515ace7b1bb1086d3eab16c3c2

SHA256
157e9446b4a8c11b0312bc8a685dee20b48c4894b0e77fb881877b54678582f8

SHA512
fdd08d46ea0c5ce52ca3b22545514fe74050550d2eacc0ae03d980c3f0e2abc7650a7a61d94de87edfd5f20d8022a467726de7cddc87f30291420b3fff3e6d00

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
29c22365bf4576b5de61d8f00ca7538a

SHA1
3be0da40182b46dea31367ae25842926debd7aa7

SHA256
d084aadc62ccc32d45510d410e8687665bcca993b01664a09bc395c6ac251b49

SHA512
13d3873de5b4c3b88e6fee45349341f2344ebe7354a1488c8072448d8e5de17408dc6d89fae787b0f4e7165a4aa2ba644127f39c8826e3efb32cda130f261e62

Download Submit
memory/552-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/700-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/700-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/980-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1060-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1060-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1116-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1204-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1204-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1448-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1448-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1608-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1608-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2576-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2976-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2976-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3416-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3416-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3468-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3468-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3572-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3572-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3628-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3640-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3640-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4080-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4080-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4184-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4184-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4440-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4440-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4700-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4700-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5056-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5056-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads