berbew | 3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1a

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
Size

89KB
MD5

f24febbaa09effbbbedbcdacd67dd7c0
SHA1

3f088632a53322368ec7eb73f33cb1a06f34e6c7
SHA256

3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1a
SHA512

87a5af2d6e22c95a3b9351fa535df496bde57c9540da19ed0e13bce55871219a50ad48c67c41768932b396ddbb777ec0d8cffef264c3951e1a418b65635750ee
SSDEEP

1536:qn+7jUJbyObNrRRCCBCcq4HB4QX25ZxDtvcLjQRQtR+KRFR3RzR1URJrCiuiNj51:H7j4byKhXBZqw72vxDOLjQetjb5ZXUf5

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1604	Pgioqq32.exe
3840	Pmfhig32.exe
412	Pgllfp32.exe
4584	Pnfdcjkg.exe
2060	Pdpmpdbd.exe
1704	Pfaigm32.exe
4844	Qmkadgpo.exe
1824	Qdbiedpa.exe
1548	Qfcfml32.exe
4028	Qnjnnj32.exe
452	Qcgffqei.exe
1516	Ajanck32.exe
3680	Adgbpc32.exe
4860	Ajckij32.exe
4116	Ambgef32.exe
2388	Aclpap32.exe
1560	Ajfhnjhq.exe
3448	Aqppkd32.exe
4032	Agjhgngj.exe
4720	Ajhddjfn.exe
2304	Aabmqd32.exe
1680	Afoeiklb.exe
4872	Anfmjhmd.exe
2544	Aadifclh.exe
4624	Bfabnjjp.exe
2368	Bmkjkd32.exe
4204	Bganhm32.exe
4368	Bjokdipf.exe
2236	Bnkgeg32.exe
4428	Baicac32.exe
2300	Bchomn32.exe
3380	Bmpcfdmg.exe
4828	Balpgb32.exe
1428	Bnpppgdj.exe
4128	Beihma32.exe
4868	Bfkedibe.exe
1064	Belebq32.exe
4920	Chjaol32.exe
1672	Cfmajipb.exe
2764	Cmgjgcgo.exe
3340	Cenahpha.exe
1740	Chmndlge.exe
2172	Cnffqf32.exe
1784	Ceqnmpfo.exe
2308	Chokikeb.exe
1320	Cagobalc.exe
1384	Cdfkolkf.exe
3444	Cmnpgb32.exe
3676	Cdhhdlid.exe
2644	Cjbpaf32.exe
1352	Calhnpgn.exe
3332	Dopigd32.exe
4724	Danecp32.exe
3076	Dhhnpjmh.exe
1512	Djgjlelk.exe
3932	Dmefhako.exe
4748	Dhkjej32.exe
3896	Dfnjafap.exe
3312	Dmgbnq32.exe
3056	Dhmgki32.exe
2632	Dmjocp32.exe
2260	Deagdn32.exe
3924	Dhocqigp.exe
4988	Dgbdlf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3748	2784	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1604	112	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe	83
PID 112 wrote to memory of 1604	112	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe	83
PID 112 wrote to memory of 1604	112	3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe	83
PID 1604 wrote to memory of 3840	1604	Pgioqq32.exe	85
PID 1604 wrote to memory of 3840	1604	Pgioqq32.exe	85
PID 1604 wrote to memory of 3840	1604	Pgioqq32.exe	85
PID 3840 wrote to memory of 412	3840	Pmfhig32.exe	86
PID 3840 wrote to memory of 412	3840	Pmfhig32.exe	86
PID 3840 wrote to memory of 412	3840	Pmfhig32.exe	86
PID 412 wrote to memory of 4584	412	Pgllfp32.exe	87
PID 412 wrote to memory of 4584	412	Pgllfp32.exe	87
PID 412 wrote to memory of 4584	412	Pgllfp32.exe	87
PID 4584 wrote to memory of 2060	4584	Pnfdcjkg.exe	89
PID 4584 wrote to memory of 2060	4584	Pnfdcjkg.exe	89
PID 4584 wrote to memory of 2060	4584	Pnfdcjkg.exe	89
PID 2060 wrote to memory of 1704	2060	Pdpmpdbd.exe	90
PID 2060 wrote to memory of 1704	2060	Pdpmpdbd.exe	90
PID 2060 wrote to memory of 1704	2060	Pdpmpdbd.exe	90
PID 1704 wrote to memory of 4844	1704	Pfaigm32.exe	91
PID 1704 wrote to memory of 4844	1704	Pfaigm32.exe	91
PID 1704 wrote to memory of 4844	1704	Pfaigm32.exe	91
PID 4844 wrote to memory of 1824	4844	Qmkadgpo.exe	93
PID 4844 wrote to memory of 1824	4844	Qmkadgpo.exe	93
PID 4844 wrote to memory of 1824	4844	Qmkadgpo.exe	93
PID 1824 wrote to memory of 1548	1824	Qdbiedpa.exe	94
PID 1824 wrote to memory of 1548	1824	Qdbiedpa.exe	94
PID 1824 wrote to memory of 1548	1824	Qdbiedpa.exe	94
PID 1548 wrote to memory of 4028	1548	Qfcfml32.exe	95
PID 1548 wrote to memory of 4028	1548	Qfcfml32.exe	95
PID 1548 wrote to memory of 4028	1548	Qfcfml32.exe	95
PID 4028 wrote to memory of 452	4028	Qnjnnj32.exe	96
PID 4028 wrote to memory of 452	4028	Qnjnnj32.exe	96
PID 4028 wrote to memory of 452	4028	Qnjnnj32.exe	96
PID 452 wrote to memory of 1516	452	Qcgffqei.exe	97
PID 452 wrote to memory of 1516	452	Qcgffqei.exe	97
PID 452 wrote to memory of 1516	452	Qcgffqei.exe	97
PID 1516 wrote to memory of 3680	1516	Ajanck32.exe	98
PID 1516 wrote to memory of 3680	1516	Ajanck32.exe	98
PID 1516 wrote to memory of 3680	1516	Ajanck32.exe	98
PID 3680 wrote to memory of 4860	3680	Adgbpc32.exe	99
PID 3680 wrote to memory of 4860	3680	Adgbpc32.exe	99
PID 3680 wrote to memory of 4860	3680	Adgbpc32.exe	99
PID 4860 wrote to memory of 4116	4860	Ajckij32.exe	100
PID 4860 wrote to memory of 4116	4860	Ajckij32.exe	100
PID 4860 wrote to memory of 4116	4860	Ajckij32.exe	100
PID 4116 wrote to memory of 2388	4116	Ambgef32.exe	101
PID 4116 wrote to memory of 2388	4116	Ambgef32.exe	101
PID 4116 wrote to memory of 2388	4116	Ambgef32.exe	101
PID 2388 wrote to memory of 1560	2388	Aclpap32.exe	102
PID 2388 wrote to memory of 1560	2388	Aclpap32.exe	102
PID 2388 wrote to memory of 1560	2388	Aclpap32.exe	102
PID 1560 wrote to memory of 3448	1560	Ajfhnjhq.exe	103
PID 1560 wrote to memory of 3448	1560	Ajfhnjhq.exe	103
PID 1560 wrote to memory of 3448	1560	Ajfhnjhq.exe	103
PID 3448 wrote to memory of 4032	3448	Aqppkd32.exe	104
PID 3448 wrote to memory of 4032	3448	Aqppkd32.exe	104
PID 3448 wrote to memory of 4032	3448	Aqppkd32.exe	104
PID 4032 wrote to memory of 4720	4032	Agjhgngj.exe	105
PID 4032 wrote to memory of 4720	4032	Agjhgngj.exe	105
PID 4032 wrote to memory of 4720	4032	Agjhgngj.exe	105
PID 4720 wrote to memory of 2304	4720	Ajhddjfn.exe	106
PID 4720 wrote to memory of 2304	4720	Ajhddjfn.exe	106
PID 4720 wrote to memory of 2304	4720	Ajhddjfn.exe	106
PID 2304 wrote to memory of 1680	2304	Aabmqd32.exe	107

C:\Users\Admin\AppData\Local\Temp\3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe
"C:\Users\Admin\AppData\Local\Temp\3b0a65f570188169da83e0f0d64722a2c8fb86808deb6505f155c5ed12b5fa1aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\Pgioqq32.exe
  C:\Windows\system32\Pgioqq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\Pmfhig32.exe
    C:\Windows\system32\Pmfhig32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\SysWOW64\Pgllfp32.exe
      C:\Windows\system32\Pgllfp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 408
        67⤵
        Program crash
        
        PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2784 -ip 2784
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
89KB

MD5
01eaa8afa4a6f992809c6deaf9905083

SHA1
95a7eb72fc33b6adb071b7359ff52eacef7c172a

SHA256
7e0b181f624edf690d647a5eac8d9bf0038d7e7ce1a5aa3a19302467935bac9c

SHA512
baa42502aaf07e19b4e37699231cf83e61e49073baa96a6961e99978abf7633ee3f3b935f45a5b1290a6c0342f3cc12086645391825dcbd0a7f18f4aa1cccfd4

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
89KB

MD5
ef5b584f5d650f3c56a58d1ce5823f06

SHA1
0a246b314c2a83e718bb0b3a2f73f6034893ff7f

SHA256
b1e3e5bd79009f6917b01b98dddc45b85f149624e8b7f3f3796c758bf29e7f21

SHA512
f1cfe99f142911cd4dcc3bca9125c8747adf778a8320a61d43605b40510dd1c5357f400ea69b88e915720dee2f2718c2d828852226b12f2eb81907e6131f53e7

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
89KB

MD5
3c5cbb0ce04007594da10764bf9ee2ce

SHA1
0ac6d51ac3f65b9aac80a13ff80d3e8c414b11ae

SHA256
1536c10bc0d0ccf260620e9ceba4444df8833f1b2a8a74f42fe864bb39dbfa08

SHA512
e488b37c7142f955a006907025c8c82e7450d10dd397b16eba9cf4bc200a98157ce475b2b9ad0f65201a91f7238b5e9ec2f0dd0054ac9f179ab3871ce495af99

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
89KB

MD5
057b1ee08ec93fd6a4fee1eac0977941

SHA1
4e41bda4fe79e59e37348003126cbd4210f143eb

SHA256
243e54191db19645b4b805a5b7454189b870e8e08866c237adc3242ea020b68c

SHA512
f2b575f82daeb053c00a7488f60677c786faca8e326280ac06b59343d13a0b220479ec7e67fc77d735c27b1b1ad176496e2165c600f0d18dadcce36e72b6b1e6

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
89KB

MD5
e52ac93df6eb50331c6643f407d0a528

SHA1
c41044814b6f10a1a86d69d90cb66786767b15e9

SHA256
231b792f69251326a5373d9922affbd136127121f0369ec2fb145413a43a7c4b

SHA512
fa73d9143fa13fa6f3a01a0bce18551ae09a72b0148db569aa19dabd0a813e7c8670527401b3befba79c47d3b9550c6ad59580707c70de1db5ca3d2aac2a9b0e

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
89KB

MD5
14f395b15853d0b95adae8d3a517e9f0

SHA1
f7ea494cc9df9641e3175b5ed875e848e3db45da

SHA256
93a6e42f619d5f262ee3f680aa32bd49ab8b9a90214ac669422b2add136d92cf

SHA512
fc9a8997f05059e0acda179e974ffe3e98aa304d131d54473c8225426e9768518a2642c73147e0e916500dcffe0e1f782be58e8a54a646e6ceec93c3024b5537

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
89KB

MD5
092bf248a293ad4cf99c2f38c8806508

SHA1
12ae3ac418b826dff721111a18a6b1278cc579e7

SHA256
933e7180d3e8674846a58adec6863ce61eae0fe94dde2f694a5b5d29d75822b3

SHA512
fd17a5ecf23672fa2865c6cd37a50e0708849733d10f6a3629b900424711bcb2b1484615fade861fa524ced379b4ce23aa770746b612e13110253a92553e08fa

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
89KB

MD5
b5e05bdaf51f28c27dc37b33cc7976c4

SHA1
32f8b15b620f40bc48e981b0076f4bbc8f18252b

SHA256
381338783d81fc3a0c4a3da49021f377706f1857ec8cf79c568e3c7f79e47429

SHA512
33abee09ef99949e2bb9c9a2f7d02b0cee3232d1a3fb6b9604d9f468129a10afc09190a32ba5f53810e1574ce12dac84a9eec8369e423bc1ed1a55d702d8f5c5

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
89KB

MD5
5f102208eff66204561417d15ad1e1ea

SHA1
1e1f93273d7346c105f00fe06eb04624885c3843

SHA256
2d58514bf81893ca68142b37f8ca15e3680b677d7eacc0ac71ab9086094067ff

SHA512
31b22c439385f6ff4c1bf516c3e1e0e25c6702d88c4f8be12cf796e72adf872c7def995b603549ec85914ff94c4f73fd673a285e3729dd5c06a4a17d84e35a3b

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
89KB

MD5
e4f1d859f08b69093c668164d3b8eb94

SHA1
31897a73ab9d10d79a73fd8073a33b712d1d96f0

SHA256
8798a05f90703eac26bee99e90fb519b9db590f98a1eae46b292ec909f98c546

SHA512
150e40b09e3aadd5e1521fed69a4ebfa3024902aa0982f49d1ed351a93c99922367d44025aa55cd047ba75437a3cf7d4a7a3e2364c7368ac94e96182ceafe5ce

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
89KB

MD5
324e2eac11f51de6f597a5bda4faaa6a

SHA1
952ce166b842e00e2d74615825f7e407c656346e

SHA256
8ce1bc0c510eaf51be07f8ae005b1028daa6e63a845c56166b3313546ce478af

SHA512
d83cc24a1c2b39e749d4a5b3543348ac14a4e902a0565d66b8fc2eb6c2dd53b02d9761c92b3a5d89a499c63c4de71c4469a9579706b999cc56a17f828c31da1d

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
89KB

MD5
dc10cf63e2c9ca55a439b0514a35d8cb

SHA1
29d61115c79b450420f41f7c8cff1f4decb6b9b9

SHA256
33dcc65318b1929e8b2b545961b1ddfec2ec202e2a4d3838ab2aa2492576237d

SHA512
01f6cdd18c50ea5bc425ae577ba1d627e4a7b89d18943fdc59d74959a90b9083ec447ccc4af051a619485b3ce49923fff382defdf413f85a90b3179a74bbb1e3

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
89KB

MD5
8376559b75555859236b830edc6f0427

SHA1
a54554bf98b5ccc6f2710c6fdc85e1d8c631dd19

SHA256
d640c312c26ede271fcebd12f1ff4d828c36c3c71ad87a90779cf581511f0146

SHA512
95dc8ba7cb537d154d90e0abf3c73c57176693b098b9d48b478a6bcd9e6d73ac15e0cae75c6d435b21d4c61a0f2ab2f64367051124cdcf9ef6dd9474e79568f1

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
89KB

MD5
4529f7e8261d60da845d059f3d066b95

SHA1
04bc879aeb652c49aee832fe90e4261f02fccfd5

SHA256
7b3a254ed0b72c7679c604af8bea5f6a6ca230c5e4ed4e75d3488a2ddf1560a7

SHA512
9787697fd55a6f19d16aee76869844fd9e4668c4b128c562e0a4d7f3d4661895866861e11ba8b34a929058b52067e21c025f3d767fb9a27c25fd64420dca3f8f

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
89KB

MD5
c9c04e718496c48491549899299eea5d

SHA1
ec0bc165f9db4dd4fe0ca9379d7b59a70081da9f

SHA256
81e0b857fa2959a9954a1ca1eda5d080dd848363251d3302130feb42f6c726b9

SHA512
d1b928a89c8d5f115a5e6322642e5c7c3bb1ae47fc1bfbd43f43ba908a2d60d4f132e544dcb307756d8726082a032907a94622af36e62848262d88ed27e16c12

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
89KB

MD5
2786e6579b655146eab77812dc3e3bb7

SHA1
d017d27b67730304b8879e0ae8f29f23ee2e007a

SHA256
abf50df14664027c41d55b32e2eec8ae34eed024dd12021d733ac277f403b60b

SHA512
e4653bf702612150a4600b4f373685c7b80d458e4978908734b101ae499bfd0f6f55effb4ffe1774a7367e29f3238d58c6507852919ea70b125b05143ebace4c

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
89KB

MD5
3d6f2fa13b412310399cc1c0b0bbb4a5

SHA1
eae048e7a791bd846cb82ba7a9197ea0e994d39f

SHA256
236f98e8914142706ea6beb36d47cff32540fc1a0a7abfaa7a978afb15792077

SHA512
95f5c54db1ddf530c97a9784819fb4eef7f4444dd93d564fd93cbcb95cb70bb1855fc2b82c6fa68818e0ce0f4700061eb8c9fa02681b2c1736595d0757105522

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
89KB

MD5
6eddd0fe79760d54eca8faa11e2ab31f

SHA1
624c4174d992752d4e2e7be2ad922121b59c5495

SHA256
3337d6464b5ea1a6f168ed99962b791b25d9b3837ea25796687d6a7236a163fc

SHA512
cdb4b4cbe517e3fd9897254184d5ba40e1dd0ad3505958db7d2fd0411d6d960227e7fee82fde9f5ddd1512f71502838c88b6acc4bfe809bdbb1bde52748e398a

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
89KB

MD5
56ce501f6bc7d6116a43cf3f016dfeba

SHA1
86f7e27515c95d793af5bf2a592b2eaa80bddf97

SHA256
2a14e63946e015f5ffd0fb22c9ae344a480d08ead2cc8db10b4e01ae34641447

SHA512
839c56d752de7b8eb2a29ded13c602687cbfd539fd047330550c16056fd2a56507055bc7acddbf16550ecc120cda18ba2cb5803be73a5fc83b83ae4efac6e1a5

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
89KB

MD5
b221f788184d9a732093d2cb8704f108

SHA1
767a6dbbbd9a1c34d2ebd663fa302d8de452527e

SHA256
7431d98ac82682b022e4ed1094e0a10d0ead693592c16c0ff91631bd66dbabc9

SHA512
2618fc5ffd94022f8ffe14370b4722d374e289dab619534f52eb0d1085fd5a7b9b7f4032b2b43574389079a373fc2e777dd8df82b55d9133b0da75aef6c76107

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
89KB

MD5
02146283ae9e3a4ed132a51815de2263

SHA1
4c9b6e554453498105e3463db78735c7554b2d4e

SHA256
30db9f7215629656839ba18615d24953b2aef946b56bf7aa3e6c0418715ff673

SHA512
ca883aaa10bc281179273daf8b33680b07d46063181649a308e244abe6f68306d3461ee1f14f088e68a3abe46ff52e7cb3f6866db880f592824df20998dc50ad

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
89KB

MD5
6942362939e0caabd828ec7aef37d34e

SHA1
7d4231900db39b7cc0c701cf8097dbd28b45a676

SHA256
40610ef1c27903d8fe86c1c872c752dd17a7ec48b14dd72ce73394cbe44eb852

SHA512
4927afec428848fddebade458bb41470e90d7418fcf209b938321f8d555c6c7fc660352b1102f42d162dc97079c9292f8aab834d218f0a52281690abee9bec8c

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
89KB

MD5
badcae8c50ae85fdead5b09108763b74

SHA1
1a992dac2421a06a42fa326189d879db824797b9

SHA256
73b06a392a6b5644dfda7e73ac2ea89044141b1778bc6899fd02b69ea278ad4e

SHA512
06241abeedc0ddd54475b92faf5cef93494608a676b1de6063d13e1af2722395f239ef9c1a687ad9ea5142d7bb956cbf35da2fb52daaf6949c328c562709a488

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
89KB

MD5
00bc277f174f247f127fe3ffe39e67a1

SHA1
4b335a0c36c74eef65911d6f2fee6ba2acc7a4e0

SHA256
e4825d7dca77ddcee2306c666d621cc58125d4f0f499c63060966aa6f6ca94f1

SHA512
78280aab3d615b490de8b15ca065b0d889dabaa3c9a1931ac57871d92075a28705c58776ba38d5239a027040df567a0b433b6bd133ee01342deefea8025350e6

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
89KB

MD5
a88c70a5251c86bb8d0fcb43382bf671

SHA1
cb5a5ed9a202277eaecb8daf465f592b673f76d0

SHA256
6b600dc1a45d61ca22ebcc299f6ef187378b15b5b806425e116c18513c3bee59

SHA512
4d2c05d0c6ed88c3ea52c7f42d0de3c5034d7428e6124fea5454b9d8d3c8566769ec7147c424e7c02527dce5bb750b1d29eda4338a96a3a31c958e3ff3720b91

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
89KB

MD5
23cc604797f9c1ff84ae185e4cf25ca1

SHA1
bd7a8135e85e8f2420a140f4e36a54bc0133bd9d

SHA256
9324a5bde1e98968c224d13ffa39e0236ed89b1b2939a5f8bd7172ca110dd947

SHA512
2d84389b3c129195193b0e87d2868873a221cbeb4c999950885ccd3693c3c5b650065ca16017abadac27e53f9e527b4044f02e5cfd59a51e8f629001e21b1829

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
89KB

MD5
3a2caac793af0ffcec68046245c05a3b

SHA1
5bc16130d18d57a71e5ecc3984eccfdba602aba8

SHA256
231cfde5e71c63ea42e8ffc7dfc44608ce8f638d5adb84b2d3c14537eeb557b7

SHA512
a651953ef81b2bd729e783f49487bee0d36e55cae7a8f72238526004bb4968305cf416882186ee322df69c2fb1a1114ba8d2ed4c241909a5356d1689cc7b527d

Download Submit
C:\Windows\SysWOW64\Jpcmfk32.dll

Filesize
7KB

MD5
a7a0a564b07aa05d75eea03fe38bfde0

SHA1
16b0196f48277f769ba271b52f5613960586dec4

SHA256
69d4762c3275f14e1d58d35185850da86e4072f868d69025765be73d01e4ba22

SHA512
863eeefd74ea96c0664074802eba5ed4f94aa2b71d810eb08be6847c1c4e9745eead4da6b424f7e119bd2bf8f467855f5aca22678bf121f8173d9df06a1d50db

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
89KB

MD5
c1727eb9110de59f75c8aedf6627e6b5

SHA1
8185676bdd451b067c15b5a46027981c59d48b0c

SHA256
f5af832e82244d2b15f095161aea08426e20a88b72fc6c92a6dd80ed936e6f0b

SHA512
23d2323190a0181b520ea593ca99d6bd8d8c33b8af171bf3f9ed43ffcee048464d92416d1a6b429cf6b71612f38ecd9b7a355ebd8078b577e72ee2898c2fcffd

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
89KB

MD5
2cd0302023b4249784e12f86b8bdffb1

SHA1
e5134cf42a7f35c84762573812bbfc8265064b29

SHA256
cefab9f403f8e3e481c203a82fe3e56411c94aae78ddf61eddd19b653f5dc45b

SHA512
6510d93f4fd97790d9306556e7ba676839189df3f9bb853798844a99f8dbd5f338b6a92da51b276e68c214973b31556e182ebabd1b0d7f92362dacb1c8578d33

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
89KB

MD5
eb3355c0ba9fdba66d173acea1bbb227

SHA1
d69ec6a02cbb4301ac8480cfcfc9e88131e104f9

SHA256
302a919549ac15b3a3a521bbe06ac801c2e536d61bd18ebc38bb21f991145750

SHA512
e81fb628f18f853b9c775c6134dd3b09678e9e8ea7bcfbff3449e2ee320abf358afc1b125eb650f4c1fd248907f52d6241eed2494cff1bf617f07c8081e20b6d

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
89KB

MD5
893e802119dc477fb730f678ea877a2d

SHA1
96e163ac1df3d184c0d9f9989ad18ba0f2ba1c22

SHA256
5b4a5f081374d58de2d3ea21910ef22a891aee12a825d26852e7dea644b39c2e

SHA512
17ecf0b4ccfa4ba8ac14144e17976dc6de1a74fe0d083c04c84b0aa80af674e917ca5fd3a5ae28a4c74b3c89b54d973c49c1e727e64cf4d62ba169afe08862b8

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
89KB

MD5
98056ee03e0ae8b7d6a102059f0fc470

SHA1
5da46badfbe1069cdfe492c1003b033f75f19623

SHA256
0b5b0df6ebb73d4d87b3080535ebf4333cb49753da6925ee5aac47a7c992dbb6

SHA512
6541c79423474d7c0af090f69017c19f11b2e73cb885734d2a6440eddb5cb9f5201bc30a2bdb4594537a1ab5f4c703f65510b211028612b7a47401cbe0686e69

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
89KB

MD5
d283af891d7c90eff012fd9a2a77d952

SHA1
6a61f0f7e8295cead6ae490ff4efaf7655f68eae

SHA256
bc0b000767c07d26304c6ddf7d29255812c451871e37712f7f45c54fc2d17315

SHA512
bcae1948b283bfa019c986283013935d4a9d9ffe4722a75aee22029e522b3b715343590abb1613bbf85287b63b818b1f99694358eef711444734a61d6f35f079

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
89KB

MD5
b4d1189370a1c5ad465f1d8d523725f7

SHA1
bbf885097bbacd78d2175ea587610304406dc8f1

SHA256
71efad3fa3bc443039d0f06a62214b28dded9244579dc2495d41aaa58e9144d0

SHA512
b7365da20eaac3ced1ce474268e825d328dc2eea5800363eaa45c37a177df2da8ff724d94053aa163cdb9930a0dc8ad3b818232ee351b7d6386ef19863ebf27e

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
89KB

MD5
db9a9e9ac31c9c3c5257c05dd8e4e5fc

SHA1
1cd5686c7b2ee5c272bcb6a8ad5e1cccc0b6e663

SHA256
473e4299a01af1f93d31d239663a59a5b121f087bdf0322881a72636ec35071c

SHA512
012cc4358f054e48ea856e59356b9963466560753727deb06657662a02d20a7bae3cbc925856afa6e30e3feda67ab5570f05ff15c728a4355461b024613a70c1

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
89KB

MD5
736acb54fb6e30a19975399ef8099dc5

SHA1
e9fa6e4c425c36cedd44398866bb17aa0a3c041e

SHA256
9a7ea9f262762c6795f75a93e5872d914586e354d5c5a8740efdfb8e27dcfd6b

SHA512
59ff2848a1ef9f1f51300ae4e3e8d8a30a413de0e437b0bd33c0072339b2e5daee82ee862c9d2a28c00745f916e314c945a8bcc44f4d6fe637f867d84707838d

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
89KB

MD5
839be2760a51e746b08ccf4806d10b3e

SHA1
7005078d9e94be22fec0c2e11e75663a24202d31

SHA256
82ee7fc39c6cda1bd50f22fc3ece7afa8366d1fa448ac4fffb2563a96dbcb337

SHA512
eb07cd1093e0ff38df40c2baf0a308279550180ca3b17643f65510a95adbf2c96594377d0fac18f08ee92c50d0c07d110868e4c6451c10d717919720fa806906

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
89KB

MD5
24d3b0241d14711a7f7896e77260cfa8

SHA1
1a3fae3f398bcb8e5603bda42914d1571c41491b

SHA256
c774b43aedeee7dbfc186b99fde74f56039851e9e97051da0a2d511bfd77d168

SHA512
bcc9b4ec1ee10ba3c7043682f07424d5716277064b43023a014418d43c5e73b8cd27749f2b6c89fdec85cf740631846d03437a8905e12d9054e0f14078fc89b8

Download Submit
memory/112-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/112-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/412-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/412-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1680-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1680-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1740-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1740-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2300-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2300-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2388-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2388-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2644-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3444-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3680-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3680-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads