berbew | 6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe
Size

96KB
MD5

d90ec94c1fc5b4251c5957cbb833b0d0
SHA1

fe23ed73193140bba503d56549603259aa203075
SHA256

6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22
SHA512

ee834e0282bbd8bd53dd7475e7a197184e25914173249f4b43262e11d72a8f7e9a488ed0e589db862f4abc3027c6234d07fd8370c6c2bbea356f5c0a5bf88a31
SSDEEP

1536:AzIPhTY4amP5vr7sWHKk+IsBS7u44VcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVe:rs4aKiksB+u44VqZ2fQkbn1vVAva63HF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
60	Ogbipa32.exe
4068	Pnlaml32.exe
852	Pmoahijl.exe
2324	Pcijeb32.exe
2112	Pmannhhj.exe
3392	Pdifoehl.exe
3752	Pfjcgn32.exe
4616	Pnakhkol.exe
3992	Pdkcde32.exe
1744	Pgioqq32.exe
2156	Pmfhig32.exe
3472	Pdmpje32.exe
4780	Pgllfp32.exe
3124	Pjjhbl32.exe
4500	Pdpmpdbd.exe
1504	Pjmehkqk.exe
4556	Qmkadgpo.exe
5076	Qceiaa32.exe
4172	Qnjnnj32.exe
2660	Qcgffqei.exe
1796	Ajanck32.exe
1380	Adgbpc32.exe
2416	Ageolo32.exe
4812	Anogiicl.exe
3216	Aclpap32.exe
3068	Anadoi32.exe
1508	Aeklkchg.exe
4112	Afmhck32.exe
4084	Amgapeea.exe
2056	Aeniabfd.exe
1660	Afoeiklb.exe
2132	Anfmjhmd.exe
4792	Accfbokl.exe
2856	Bfabnjjp.exe
1236	Bmkjkd32.exe
4964	Bebblb32.exe
1312	Bjokdipf.exe
3800	Bmngqdpj.exe
2864	Beeoaapl.exe
3748	Bgcknmop.exe
1648	Bmpcfdmg.exe
4984	Bgehcmmm.exe
2936	Banllbdn.exe
3064	Bfkedibe.exe
1636	Bmemac32.exe
2732	Chjaol32.exe
1492	Cabfga32.exe
1196	Chmndlge.exe
3680	Cnffqf32.exe
2536	Chokikeb.exe
224	Cmlcbbcj.exe
3384	Ceckcp32.exe
3700	Cjpckf32.exe
4752	Cmnpgb32.exe
4908	Cffdpghg.exe
1548	Cnnlaehj.exe
3716	Cmqmma32.exe
3684	Dhfajjoj.exe
948	Dopigd32.exe
828	Dejacond.exe
864	Dhhnpjmh.exe
3056	Ddonekbl.exe
3500	Dfnjafap.exe
5064	Dmgbnq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2152	4856	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 60	4544	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe	82
PID 4544 wrote to memory of 60	4544	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe	82
PID 4544 wrote to memory of 60	4544	6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe	82
PID 60 wrote to memory of 4068	60	Ogbipa32.exe	83
PID 60 wrote to memory of 4068	60	Ogbipa32.exe	83
PID 60 wrote to memory of 4068	60	Ogbipa32.exe	83
PID 4068 wrote to memory of 852	4068	Pnlaml32.exe	84
PID 4068 wrote to memory of 852	4068	Pnlaml32.exe	84
PID 4068 wrote to memory of 852	4068	Pnlaml32.exe	84
PID 852 wrote to memory of 2324	852	Pmoahijl.exe	85
PID 852 wrote to memory of 2324	852	Pmoahijl.exe	85
PID 852 wrote to memory of 2324	852	Pmoahijl.exe	85
PID 2324 wrote to memory of 2112	2324	Pcijeb32.exe	86
PID 2324 wrote to memory of 2112	2324	Pcijeb32.exe	86
PID 2324 wrote to memory of 2112	2324	Pcijeb32.exe	86
PID 2112 wrote to memory of 3392	2112	Pmannhhj.exe	87
PID 2112 wrote to memory of 3392	2112	Pmannhhj.exe	87
PID 2112 wrote to memory of 3392	2112	Pmannhhj.exe	87
PID 3392 wrote to memory of 3752	3392	Pdifoehl.exe	88
PID 3392 wrote to memory of 3752	3392	Pdifoehl.exe	88
PID 3392 wrote to memory of 3752	3392	Pdifoehl.exe	88
PID 3752 wrote to memory of 4616	3752	Pfjcgn32.exe	90
PID 3752 wrote to memory of 4616	3752	Pfjcgn32.exe	90
PID 3752 wrote to memory of 4616	3752	Pfjcgn32.exe	90
PID 4616 wrote to memory of 3992	4616	Pnakhkol.exe	91
PID 4616 wrote to memory of 3992	4616	Pnakhkol.exe	91
PID 4616 wrote to memory of 3992	4616	Pnakhkol.exe	91
PID 3992 wrote to memory of 1744	3992	Pdkcde32.exe	92
PID 3992 wrote to memory of 1744	3992	Pdkcde32.exe	92
PID 3992 wrote to memory of 1744	3992	Pdkcde32.exe	92
PID 1744 wrote to memory of 2156	1744	Pgioqq32.exe	93
PID 1744 wrote to memory of 2156	1744	Pgioqq32.exe	93
PID 1744 wrote to memory of 2156	1744	Pgioqq32.exe	93
PID 2156 wrote to memory of 3472	2156	Pmfhig32.exe	94
PID 2156 wrote to memory of 3472	2156	Pmfhig32.exe	94
PID 2156 wrote to memory of 3472	2156	Pmfhig32.exe	94
PID 3472 wrote to memory of 4780	3472	Pdmpje32.exe	96
PID 3472 wrote to memory of 4780	3472	Pdmpje32.exe	96
PID 3472 wrote to memory of 4780	3472	Pdmpje32.exe	96
PID 4780 wrote to memory of 3124	4780	Pgllfp32.exe	97
PID 4780 wrote to memory of 3124	4780	Pgllfp32.exe	97
PID 4780 wrote to memory of 3124	4780	Pgllfp32.exe	97
PID 3124 wrote to memory of 4500	3124	Pjjhbl32.exe	98
PID 3124 wrote to memory of 4500	3124	Pjjhbl32.exe	98
PID 3124 wrote to memory of 4500	3124	Pjjhbl32.exe	98
PID 4500 wrote to memory of 1504	4500	Pdpmpdbd.exe	99
PID 4500 wrote to memory of 1504	4500	Pdpmpdbd.exe	99
PID 4500 wrote to memory of 1504	4500	Pdpmpdbd.exe	99
PID 1504 wrote to memory of 4556	1504	Pjmehkqk.exe	101
PID 1504 wrote to memory of 4556	1504	Pjmehkqk.exe	101
PID 1504 wrote to memory of 4556	1504	Pjmehkqk.exe	101
PID 4556 wrote to memory of 5076	4556	Qmkadgpo.exe	102
PID 4556 wrote to memory of 5076	4556	Qmkadgpo.exe	102
PID 4556 wrote to memory of 5076	4556	Qmkadgpo.exe	102
PID 5076 wrote to memory of 4172	5076	Qceiaa32.exe	103
PID 5076 wrote to memory of 4172	5076	Qceiaa32.exe	103
PID 5076 wrote to memory of 4172	5076	Qceiaa32.exe	103
PID 4172 wrote to memory of 2660	4172	Qnjnnj32.exe	104
PID 4172 wrote to memory of 2660	4172	Qnjnnj32.exe	104
PID 4172 wrote to memory of 2660	4172	Qnjnnj32.exe	104
PID 2660 wrote to memory of 1796	2660	Qcgffqei.exe	105
PID 2660 wrote to memory of 1796	2660	Qcgffqei.exe	105
PID 2660 wrote to memory of 1796	2660	Qcgffqei.exe	105
PID 1796 wrote to memory of 1380	1796	Ajanck32.exe	106

C:\Users\Admin\AppData\Local\Temp\6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe
"C:\Users\Admin\AppData\Local\Temp\6c676fe5f413e4aa38bcd3849068f5466aba13835cf751f176b0c4d2ad67da22N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\Ogbipa32.exe
  C:\Windows\system32\Ogbipa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\Pnlaml32.exe
    C:\Windows\system32\Pnlaml32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\Pmoahijl.exe
      C:\Windows\system32\Pmoahijl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 404
        76⤵
        Program crash
        
        PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4856 -ip 4856
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
5e3af677c72b9630a34266df9014e4c2

SHA1
b10ad7691dbbb1340830fb1a26298b2d9afdf14c

SHA256
d7647645a00d561db33f2123d87b1a2b7652fd5d0d42ec054a69800002f55d2c

SHA512
ca1cf5d07f017f424c15cb7a94b1a0d7a770852661b2c8e31e86ea28e44695a58b93059338776bece289f78f38caab1df12c4a53ce73689ec8f24abfa5649099

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
bb75d7262fc8eb7a08386bf5e5bf5362

SHA1
e61363b42d1838ac6d8cb1a1da5aa17859c91103

SHA256
2121cc3cf0fadbacfdae5a4e1d8ba16ea28a2f55136e5da5392bc19e5adabb80

SHA512
48a799283862ed8f178c7697c412dd3021164f9542ac6d0d341a9b6dd6d3d423785303f0b446ee0fe0f69d6f5c21c4d960bb3c1d17cc17f7455ab98db92d065f

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
96KB

MD5
fe06a4527a479316b687d3f59d881be1

SHA1
b61cc7780cd5c4bcbaedd4e54c3c8cd259a09b4c

SHA256
332789aee5b9d41ee5e9d4b1c66e3efd9680eded12b08a4f01cf8daf81beda5c

SHA512
f49890f7e6ac00f3341f4d289b7e498206e151c73efb92f9a7d00e0b544b201f66bb7adc8a5aecdd2088a80234d014d5e37ab3e57e6144116cf07d4d4790b828

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
617293d8c60555140557b34971473543

SHA1
ea7d0d255d97ae7c4397ffdb1abe69fd8e15c3da

SHA256
276fc6e40dca541e7d536930e0bc3a96d02f33aebcf922921206bcbbc0a5cd53

SHA512
f092bbf1ab3b086479f15de73edbac45803b1db4b5a0761247b65f00fec20c191969ac7f9e0aac56d61af570e87a9a982b1aa13d9be314942197850b86653d1b

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
b3a21ae7f621811c9cdc0f2e5ae386b1

SHA1
06fc329b22fda1dff61451980d116be3c78e6734

SHA256
9249edb7541939c423a113c78fd3e156b79ea6d0f5c98f4ef0f5cad4009822d5

SHA512
ed4cdbdeeb3e22d4175815d4b35beeb0f04617d23fecb9d7ab75af6e437e93617d453b0e765630b9cca97853c9b781b7e8de2d604fac44e38d8d4b6b3774eadb

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
6531807d7ecaeb1dfea11737dbbcde9b

SHA1
f6a385478989368d90f86ae9ba91d07c86640622

SHA256
5161486fb5a48109302aaf0c48030ad0bc6fbbe796d11122f6950ab0ac5a2700

SHA512
01a6e23e2eafa90c0a52e15765f7e97cef7651a9fc199fbae47b5305fcaa406fe459854a5ba23b8647dda289515246958373ec239ca61ee2e58d13f94608bea7

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
96KB

MD5
880c5df7f5a7934e1564c444f5d6af27

SHA1
5c6271599022d8626d347c985be77a8184f7d34b

SHA256
e5c7b24b027f99d91b9843b6524a1312951f9e4d1dd0ca03d44a7f9e53c8458d

SHA512
c3ca875d953f2001a495f1b8327adda15f4cf3b180c978673f3f0258451ba97b4a6dc9b1a370bc301df0cb8e9508e7e3e9ea7a49205107f8782631a240e17677

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
96KB

MD5
f02472d38bd040be222930a4aa5d28df

SHA1
d1c91073d3ccc9e89513518e2c6841df322ed12a

SHA256
d0c4a5b6123aebbccbb2bd52d224becb03f8d41c8c3e0c377c2daa8e5e312d54

SHA512
0d506802601cccaa86bbbb181aa80fe71edca323b2193836472ce3a27daf6c89961883ce74c02ccb1465379ad2b2e661b6d8ae320ba08a780b6bcf568aed8390

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
802d3e38d82affd587a4f5f05525544a

SHA1
1964f55a576dd807f47176d95753324945b4f8da

SHA256
45d66ed646ed6014e02b257b08da89a8c045244e43b6652db5d42f01d3dc0416

SHA512
5126a6fa95c273d63cb666af630be50d8ee1ae1fbd61ae26f05ce550dd494ddb6f6a089fa4d09a3907fbe81337857faf2e6cb375034aa85dc2cc20e48ba14a0d

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
660ed99ecbe4e269991c79a79b0443d6

SHA1
317e1efc6538746e50d8c383ae5a137edb63458a

SHA256
3e8f295c69f8397a227642064daedb65ff0184ce8ae0ca830a55ced615f7a028

SHA512
b1d88098c67e8265e3d700e33f9c6c741422944d2dc855f5eb841038ed525a146a5feb93fb96df60fbb735b3338435f3c77e47966244dd5f1afb9b6becdf6872

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
426093cf7f42a5844555f7384afad0ed

SHA1
998ec99c10cc8986edd7acb63a9cee2d2161840f

SHA256
c698c77952283221d9d760454d355a18698e9e91f2aaf55766ff1ba2f2261cb1

SHA512
175a84c058c5ebc54fbdee174390a896c96fb0d308772c855900c455a3e17d158056ce89be3e306880d3ba369fd995ece21ffb7f198cae6a00440ff23d7d0f55

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
8ce3f8728fcf105d8098f01a087e7190

SHA1
562d717ebe4e77e5a5e39400c647a31c8bb59d37

SHA256
e6cee57aa25b311bc746f60b2a0df4c87f58877b497add802a4b9c8f0bc429e5

SHA512
73c683b1d2bb9fa4433eb8bcb78207efff31225ef3789313a0b62117f5877f9bdc46c3c029c952b522537b5b2ac222ba8da307e68bd4606f4e02ac348f3e5823

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
b32ec2022a78cb45e076da1b4bfdac06

SHA1
f0f65f50138145b2aba2b08e7e14e5ceab9677b7

SHA256
c7cf7af68df24ce3ed07ccfe592e0f4d15929dd7db0d231d9db64597ed477aea

SHA512
3dfa8aa79122a13a15e93fa4479e1086f3c3288ebaddf6742f17d87039de7de77b13266700f4130a27e5b4c60ada6f6d01a6fa3e763bba469be1ab6522236e41

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
36a7f5186fc5d185335530d06af9e419

SHA1
6704b7aabe780cc0946f4bd17596a3dcb228c16d

SHA256
d4a67451b9ec2132e92ffa37640ad4ce3ec0b7640b16e6431cf6e4337d17b4e6

SHA512
1687cb1312ec402bc54538d45fa27150ac58f6f3db10ed473768c4c5a4512c54ab21af36a5fe19da33fbc144f4ea6e7402b4a772b417c951456418734fd562b3

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
7764c632d6aec65c157911c9bfe22a62

SHA1
299e268569dcce7395d57c98f20d737f8f4c7f00

SHA256
c79946e9eb74d1384f38738498c855da059e60f9de2692aad28d72a26417999c

SHA512
36a82a185b7dcc343113c012bb13bbf45e4280c059425ebcb0d86f81b9d9abafb97f7581b2a0649e8841f5184349e550ea339d4d527576545551828cffb02bdc

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
5c8d52b847282e3d0c9eb8bce5929219

SHA1
a3d900c9add68c03478656797ac9db7dccbb5012

SHA256
0a122b57d40beebe9c65d3ba7a7ddb62bde11ed07a01665f5053cb837c7fccd5

SHA512
84ecf077875aa852f5c2e1e2ed9b467edf14afa69b0d41896c3398a2de89071e578e04c898579257a9b2f48230f3a90673151edce92b38b9c4fc1ec89e9a70c7

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
994fa6b8239b1b359bd6affc0d3774dd

SHA1
5cc5abfbe925b58b57bdede3b1dfdacb5a614d4a

SHA256
f3aa57421db73274a9e6d51dd42b8052954afd3a62f2e1441b60403f80e2e11f

SHA512
8b40c2a4930baa0ea6c87fe5f4fd8304442622e61a3944085077490b9a7688bd94006c15aa9bca5aead35c0a5640a7a284a2fa07d68817dfcb246b24a80054f3

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
96KB

MD5
326ae8f34e8fee5859b9225437b4048e

SHA1
2fd6d4c47463a03f31d5e3ccdaab53bc96517884

SHA256
caf7128279159203ab65f8478b8bca2d81b265b24eeca667378eb93fcf1d61bc

SHA512
ea23e4f2e40335b3f30c0d64d436adbd7bc5b924d3475dc8f681dbd03028fbc1f104366dc1fd43661dd7d86668092424360eaad8414dd57644dabe9ce1bc53c1

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
96KB

MD5
2b68604926b8928f593c3e05650085ad

SHA1
af83c296e1166b645fad44326ed25deaf4e966e7

SHA256
974d49b02bf69b216ab3c7e73a2a83e49bc62cc67f49d57ddda27d9ba907e63f

SHA512
5977811dc9b8fd708d3562922f231e45159fdc8e71fffb954cc8e0f2b04ac4cd5a83d9ce1f25802a29199613a046e8e2f0bb5c96c88288535b8b43f9054cf3fd

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
96KB

MD5
bd603fd5941c85856e1abfe9141af593

SHA1
77d5fe1d338633fcf2af877c0f1beabdd313d293

SHA256
baa2345179c460a25d7e82909b441c72ce0f6aec8634074f8cd30278ff6087d8

SHA512
a2cd9521da9b4596ebec5eeb3f774ca5d4c4844658744f9c00506c219c2885ae728516a9b7fe0ba4286973f978580088415dd23d36f42e8993a21e54a70a5bf6

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
d9d283d0448b82c19a74bfa1877a162a

SHA1
1d03ddeba98c58f64e9f5133034fe45a977cf1f0

SHA256
4fa99f2b39fbecade4f71461a96f55f4d8b2093a7b88d2661b650a12bb06e486

SHA512
42622d3519260d49374b0e15268f5501b72cd79789a0726e76eadf2d57d453da655b18031169fc1f22f2d8ea26e25a7ff8829752ee5b30adaa214ed7036258e9

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
80371363377c6df9bc1276067be9c7de

SHA1
48839bfd6466e9b4fa0207bab116c48ae85b1191

SHA256
721a023e5522fd572de50c326310f1f62d7acfb85e9e07fd4f3d6549dec054c1

SHA512
bbe5cf868f41563934e1882dc28dbc52565e734d7fed8b62187b12746dbd183270f49b8a6682481c0fd1d5c8fe2c2a2126e87161d3dc5da809835a6f10a3ba11

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
96KB

MD5
bbb4d5224eb4eb2a8c02b9bb87eea6f7

SHA1
3b1414d6c5b411c2111aed6ef02c39990a71ea8f

SHA256
a9edbe093be69c6c74b06d0991c502b81e479f5a29fa192422f10b30561185eb

SHA512
c918e0e08edaeecab435e8d2544e70800c1600c39c58fa50c63b5ca91af5f379498f56f96ed8d1e46aa43981f383618b975f49ea81910ed44a391ca961b56493

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
8dd56cb2b5f45ef9d698ec17f14a4b56

SHA1
fa0f314c3c8fa88154e5082c0ca3759f2fd21cc7

SHA256
90fd592be63c32326046d76b9f804252a0d8621dc0c81b0f9a735d9d8c9da37e

SHA512
9bbff2bcb5f56566a0930f373c282959149ae0e6886bb0f9eeed5d6ac7e1c8b7b993e63483731ab9d880be17ae17c0112ed53aec04819b9eb529c4c5d266dea8

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
26fbb823deeda4a46e70ef6fc1c26f42

SHA1
688f020f84b623a77d5c31f7706078220fa36410

SHA256
b919753e36090ab51c77de655abc909289fa75afa0fef3fe57238263bc19900d

SHA512
64f16fc47823d4bc387abfa5c679baacd7dca61aa7e52717c0025c3d02698950eeca23d901ffa681db14c89d9efbcdabb1128a74cd216f1dbe150cd925d121f8

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
f97d1da14427ca8d0c146b60202c7dbc

SHA1
0c6fc6c8a15463650c6931c71a2a144c7643f2b7

SHA256
e7cddc35569b67aa24fdd3ed83ea3f8051897615e62a81e3e8a50aa624ee7a61

SHA512
5d929aa8215fd637a905952bf6c977e7dcdad6b74eb18330a39938d15469ad408b0cb515bee3501993fc28e25161bba2695510ef24939963780baae3f18d15de

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
0c0c2032446eae75dda103f2e014ee2d

SHA1
44893d823c15cfc5a1f5c7da0421e93f731262f0

SHA256
1a1fe79ba1d21916e882019effd843072563947a97903dcf80d31dc2fd138c7a

SHA512
33c9607caa67854bfc283f55f9e21f2809534dc81b39d49d0459b56f7a467c6701148a673cd3470e45b8918d3cf2c6a0d1ff32017de27212e91f8d28e006e4db

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
ad014ecb0af27c929eaaee6c0504f9b7

SHA1
f8068d725e3799658cf15b794f08c69530e7f63e

SHA256
cb9aade241982a205a328330392049eb69529b9df54ea84ec7d627037d266c27

SHA512
0964c309f59d91af614cff2406155093d7417d58030864bc22bee7d6717aa450071bdcfb652e8b80a5e65f1e3f6b22e3d1db1fdee34bf32bf0f55b547174c057

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
96KB

MD5
08f70708a8cedc804c4d3d10e12e706d

SHA1
7a37618b2f62c9efaccca07843be22e9c0390142

SHA256
0518283df57b59bb555aa9c07ccd8c853e9744e07cc995965c24069e9ee4ab4e

SHA512
f7e8a8881016342a5587d0600dc71f928851e913ac0556a5518a351ffdfaecc795cda2848cb33e7ad9eb5f83a61b1d445ab8ac54fb771ad534af364cb5c3d058

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
a40ccb0ac38c7a7770f2cf41c9524da3

SHA1
a8303ef98160ea3a418057ec573fff1ca4872700

SHA256
b21b5be5164fc72fed675e04e2e4590454760bd2ab661a170e1c99f4f48c6a61

SHA512
59af320354621bc5f23221addc2b3b0ff4096caa8c685e35fccaa4582c896ed015e72b4dc6c23b6bb62248c9cd6a688872312764f670191ba5d8263188f83fd4

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
ec47c087ca4403295bf3f9475d3cce0b

SHA1
2ce20c133c79e56423bafa90096841d9df8e73ea

SHA256
ab571fabead138280ec035f5f11f4ca9cbbe58473f48377005f35956b5b4367f

SHA512
7b18dc0d4566d1e602631c0901e25cab255560677523b6cd4cfd78aa75fb98abee9a9b0e4137391a722a6fa27f040400e7010dbc6db4cf47bbeda9c7505d4044

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
e3fda91e2d092c1eeea801e8e4ef33dc

SHA1
db9d2d81f6f35cc49725352c919b48f02141ea08

SHA256
f89be92f2d6822a971f1c636eedd359f594b14f0fa4779141f997abc31d90d45

SHA512
923c6e8bb2a5dc5d2ec1336cae1cbdd80d32e7fcb256a02f751c84852c4dcadcd33ab113ea00063bebcd13fc097b936caf0f66c8c38fa321c6c9b0d1865ef103

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
b0c8a5ea4523cb931db60ab647f552d8

SHA1
6a734926bd49d2f24c48d308737c9a48e7ca6309

SHA256
bc388d0ed6163d900576de9add248d78f55b0928a4398f1e07a676ee5247e839

SHA512
686f629cbf976c053d3352f348bc5b4e61f13ff6f320488552ad5eb71341a553129e6d70f3532071306a8debee8bb0c52fcfd5c8cb761c41093026cd08f7efed

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
96KB

MD5
8bc4838c39bdc790e0068096bfbf8262

SHA1
7c350fa6c322cc53dc47085a1918ba47da0ae24a

SHA256
e96f6f4243f8695995482affd8978ac03ea32e6c6fd314111836d4c9eedcd04b

SHA512
9ffbb5c75184eab61117b03e4f1fbed2f1a84170605869e398868fc427d77159d80c00ae39d57f0528a14b9f0886037fa7c21cc2953c895f6d57dac5f7bbadad

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
a1e4174a18c8159f61733a26b552437a

SHA1
e22b220eaf937a646a234d32de8bcc08298e38d6

SHA256
1f9a6b3ac6426cd6c5174e63d0bf23e48a2fd0898a33da35b3ee5970274ae320

SHA512
66c7b3e5305d41d52f2e995d7c5f7e71dba302ea3b5f23acb0fcc611f46986812ce484cd11205a44dc59e9b45c8a0ace2de776f0b1e1caaa9ab08048d6016a26

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
f86723e13c1f147d55e639c73ca3c2e8

SHA1
53eb60390c958f42c754a1725990f9c371b590fc

SHA256
0021dea2cd4d287fb5143e9c522b1c9d786cbab1198f43aad2de647de34b49c8

SHA512
e0c96e6f2a16ee406391e4b473b33d2889f0044ceabff231ec19fd8b97ddbd30427930db212395749ace256eb017b82f94b2d257be1ec0b6f9c9321fa2ee0de4

Download Submit
memory/60-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/60-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/224-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/852-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/852-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1196-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1236-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1236-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1380-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1380-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1504-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1504-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1636-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1744-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1744-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1796-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1796-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2056-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2056-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-124-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2660-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2660-259-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2864-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2864-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3384-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3392-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3392-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3700-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3748-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3748-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3992-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3992-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4068-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4084-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4112-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4112-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4556-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4556-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads