berbew | d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe
Size

337KB
MD5

f09a67ff847afea333983976e487bfb0
SHA1

f5ea6c9542a7280bee4685257d8d78f46d327447
SHA256

d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912
SHA512

c69c4009f38b452212f43562e9d1828212910cd51e1c2229c55daca8e9f87d03a5d89870cd2af96a2b621fa699056b91a17b67c704db62deedea57bb99771046
SSDEEP

3072:DrNrm4Z1O4MO58T1qgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:DRjR30E1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1484	Pqmjog32.exe
980	Pfjcgn32.exe
4792	Pnakhkol.exe
2120	Pmdkch32.exe
1320	Pqpgdfnp.exe
2116	Pcncpbmd.exe
2936	Pgioqq32.exe
748	Pnfdcjkg.exe
4476	Pqdqof32.exe
2376	Pgnilpah.exe
2100	Pfaigm32.exe
3932	Pjmehkqk.exe
4512	Qgqeappe.exe
5100	Qmmnjfnl.exe
2524	Qcgffqei.exe
2928	Anmjcieo.exe
2108	Aqkgpedc.exe
3064	Acjclpcf.exe
764	Ajckij32.exe
1904	Aclpap32.exe
2884	Ajfhnjhq.exe
3488	Amddjegd.exe
4888	Aqppkd32.exe
4868	Acnlgp32.exe
2336	Andqdh32.exe
4092	Aeniabfd.exe
2984	Aglemn32.exe
4412	Afoeiklb.exe
3300	Anfmjhmd.exe
2296	Aepefb32.exe
1732	Bjmnoi32.exe
3516	Bmkjkd32.exe
4460	Bganhm32.exe
2752	Bfdodjhm.exe
4152	Bnkgeg32.exe
4372	Bmngqdpj.exe
2696	Baicac32.exe
3656	Bchomn32.exe
3008	Bgcknmop.exe
3124	Bnmcjg32.exe
2732	Balpgb32.exe
4100	Bgehcmmm.exe
2164	Bnpppgdj.exe
3616	Beihma32.exe
4268	Bjfaeh32.exe
2124	Belebq32.exe
4552	Cfmajipb.exe
4316	Cndikf32.exe
1680	Cabfga32.exe
4724	Chmndlge.exe
1020	Caebma32.exe
2424	Cdcoim32.exe
5016	Cjmgfgdf.exe
2112	Cnicfe32.exe
3056	Ceckcp32.exe
692	Chagok32.exe
2796	Cnkplejl.exe
4952	Cdhhdlid.exe
812	Cjbpaf32.exe
1860	Calhnpgn.exe
4696	Djdmffnn.exe
4328	Dejacond.exe
1464	Dfknkg32.exe
2480	Dobfld32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3188	2712	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1484	3420	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe	84
PID 3420 wrote to memory of 1484	3420	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe	84
PID 3420 wrote to memory of 1484	3420	d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe	84
PID 1484 wrote to memory of 980	1484	Pqmjog32.exe	86
PID 1484 wrote to memory of 980	1484	Pqmjog32.exe	86
PID 1484 wrote to memory of 980	1484	Pqmjog32.exe	86
PID 980 wrote to memory of 4792	980	Pfjcgn32.exe	87
PID 980 wrote to memory of 4792	980	Pfjcgn32.exe	87
PID 980 wrote to memory of 4792	980	Pfjcgn32.exe	87
PID 4792 wrote to memory of 2120	4792	Pnakhkol.exe	88
PID 4792 wrote to memory of 2120	4792	Pnakhkol.exe	88
PID 4792 wrote to memory of 2120	4792	Pnakhkol.exe	88
PID 2120 wrote to memory of 1320	2120	Pmdkch32.exe	89
PID 2120 wrote to memory of 1320	2120	Pmdkch32.exe	89
PID 2120 wrote to memory of 1320	2120	Pmdkch32.exe	89
PID 1320 wrote to memory of 2116	1320	Pqpgdfnp.exe	90
PID 1320 wrote to memory of 2116	1320	Pqpgdfnp.exe	90
PID 1320 wrote to memory of 2116	1320	Pqpgdfnp.exe	90
PID 2116 wrote to memory of 2936	2116	Pcncpbmd.exe	91
PID 2116 wrote to memory of 2936	2116	Pcncpbmd.exe	91
PID 2116 wrote to memory of 2936	2116	Pcncpbmd.exe	91
PID 2936 wrote to memory of 748	2936	Pgioqq32.exe	92
PID 2936 wrote to memory of 748	2936	Pgioqq32.exe	92
PID 2936 wrote to memory of 748	2936	Pgioqq32.exe	92
PID 748 wrote to memory of 4476	748	Pnfdcjkg.exe	94
PID 748 wrote to memory of 4476	748	Pnfdcjkg.exe	94
PID 748 wrote to memory of 4476	748	Pnfdcjkg.exe	94
PID 4476 wrote to memory of 2376	4476	Pqdqof32.exe	95
PID 4476 wrote to memory of 2376	4476	Pqdqof32.exe	95
PID 4476 wrote to memory of 2376	4476	Pqdqof32.exe	95
PID 2376 wrote to memory of 2100	2376	Pgnilpah.exe	96
PID 2376 wrote to memory of 2100	2376	Pgnilpah.exe	96
PID 2376 wrote to memory of 2100	2376	Pgnilpah.exe	96
PID 2100 wrote to memory of 3932	2100	Pfaigm32.exe	97
PID 2100 wrote to memory of 3932	2100	Pfaigm32.exe	97
PID 2100 wrote to memory of 3932	2100	Pfaigm32.exe	97
PID 3932 wrote to memory of 4512	3932	Pjmehkqk.exe	98
PID 3932 wrote to memory of 4512	3932	Pjmehkqk.exe	98
PID 3932 wrote to memory of 4512	3932	Pjmehkqk.exe	98
PID 4512 wrote to memory of 5100	4512	Qgqeappe.exe	99
PID 4512 wrote to memory of 5100	4512	Qgqeappe.exe	99
PID 4512 wrote to memory of 5100	4512	Qgqeappe.exe	99
PID 5100 wrote to memory of 2524	5100	Qmmnjfnl.exe	100
PID 5100 wrote to memory of 2524	5100	Qmmnjfnl.exe	100
PID 5100 wrote to memory of 2524	5100	Qmmnjfnl.exe	100
PID 2524 wrote to memory of 2928	2524	Qcgffqei.exe	101
PID 2524 wrote to memory of 2928	2524	Qcgffqei.exe	101
PID 2524 wrote to memory of 2928	2524	Qcgffqei.exe	101
PID 2928 wrote to memory of 2108	2928	Anmjcieo.exe	102
PID 2928 wrote to memory of 2108	2928	Anmjcieo.exe	102
PID 2928 wrote to memory of 2108	2928	Anmjcieo.exe	102
PID 2108 wrote to memory of 3064	2108	Aqkgpedc.exe	103
PID 2108 wrote to memory of 3064	2108	Aqkgpedc.exe	103
PID 2108 wrote to memory of 3064	2108	Aqkgpedc.exe	103
PID 3064 wrote to memory of 764	3064	Acjclpcf.exe	104
PID 3064 wrote to memory of 764	3064	Acjclpcf.exe	104
PID 3064 wrote to memory of 764	3064	Acjclpcf.exe	104
PID 764 wrote to memory of 1904	764	Ajckij32.exe	105
PID 764 wrote to memory of 1904	764	Ajckij32.exe	105
PID 764 wrote to memory of 1904	764	Ajckij32.exe	105
PID 1904 wrote to memory of 2884	1904	Aclpap32.exe	106
PID 1904 wrote to memory of 2884	1904	Aclpap32.exe	106
PID 1904 wrote to memory of 2884	1904	Aclpap32.exe	106
PID 2884 wrote to memory of 3488	2884	Ajfhnjhq.exe	107

C:\Users\Admin\AppData\Local\Temp\d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe
"C:\Users\Admin\AppData\Local\Temp\d086828a2c398cf05b5dff537386fbd85d7e161ea5a1d13085fe4b76994eb912N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\Pqmjog32.exe
  C:\Windows\system32\Pqmjog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\Pfjcgn32.exe
    C:\Windows\system32\Pfjcgn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\SysWOW64\Pnakhkol.exe
      C:\Windows\system32\Pnakhkol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 400
        75⤵
        Program crash
        
        PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2712 -ip 2712
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
337KB

MD5
675b1aa0cf543ab3c4fe8313e3b02614

SHA1
b751b679ea7f68b1df883b8f29f8c5daec5d3c4c

SHA256
b16c28c01cea6ad4008b51e0a8c96270239ade6d4bc13b9cc5c3bfeb0c1ce692

SHA512
9229c7c174f15b6f254b321f6ccf27cc3786368ed783d416f3af1c95f6dcc952627760264288e8fcb76d310aca51635ca96a0d008af9cd0aef8ccc94ae1a54b1

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
337KB

MD5
80a056817d2d1c67c5b0a0a28ba74aa6

SHA1
448f7cca908131c4966ca0a0a5ab2e2b964e295b

SHA256
c8639b82515b2fdceaef9af06d2989d2e6777fc8b49a1e8de674a0f7a5315bb8

SHA512
d164f4f8331d61292bc1d3e02c5146ad83216db5c181451601f9d81390ff62a44ac7e03e077e979140703d199b9b7c77eb1d6b1726e4afb33a548216020c0a24

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
337KB

MD5
af9602b09dabfb59a250071e451ef9cc

SHA1
725c77d9e91c573805c90e0a0febdcfc90d876cf

SHA256
b81aa48bab01748574982338f59bc0bcf63685a8ce84f7ec4ef19d6141924a23

SHA512
84dd5f7e45d359604a394a753f26830dda4bd957120cf1b91508f42031236e8cabbe48bc408a95d75650b7877622181054900b0e059be252ae90a53bcfa436c6

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
337KB

MD5
41e8ab848e9383079a66902e28323692

SHA1
56b0a02cb89442db8e6b6f95c3e64e3d35d69741

SHA256
e9fe09ed2821a65fb7548b5cb08f874a8da286893cdc22739ff4a9a203e15680

SHA512
ed2b67d5f6234019a712513f8c32c5176bb9798a449e186aad44366ab4642f93073ac2f351870456e5da820078ecded2dea08e773ed163a696c0c69843086005

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
337KB

MD5
9dd0f8a892d075a4bed54f56be80e6a1

SHA1
a47512a3a9f20944d872bd56983a542a75e8954d

SHA256
92950d19374363d6755a6b557a8e9dc3e0866139cbc07df6f22c41aaebf21ba0

SHA512
b9f4ed0a306510802409677eaefbf5e717a9ab51099dc6c447d59967c14fc238addf07f41d1d175b3908226837173968c43165804fb737b90627453d85f14708

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
337KB

MD5
f0eb688ea610033664d1a1675a7d734e

SHA1
77850dbc2683e55db866aebded3e4d272d2d694d

SHA256
352ecf2e40087355c0f9a6cba1564a74d5438578282126c9b6d61976d7e695c0

SHA512
bbc53c8d89787a4e68fcdfda3e1d496ba41d47603d45853504d41ee8472d396caac3f865b9f00ead90759a3e15e627c8a9cb89cf4b4a6575bc556f4a6ef4a259

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
337KB

MD5
d2a02269c1609132d57560dc7d824475

SHA1
4344e4484b3387039675c74ecb3d5e5b881ed0e7

SHA256
485ed7fde39e25ff80bf7c9f08178f7c805f527d601de2a4cd65bcbadca3dd90

SHA512
e3c0de476e0657a6720bdbe07e5736a5970563f2badaaba485a518420c2818468dbaac79dd8f29b97ea9f2887ae2a7ae81a169b3a32777c42184357296981724

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
337KB

MD5
dea948c200540cbf0035a8fb9c757d1e

SHA1
77554cf8f80f7902c0f88433dd41167006239f1d

SHA256
bf6866a0d57bffc761b6109fb31bb08485c73aca7c36bf20bfff6a79c3d21edd

SHA512
9d1ca505101a910bf63bfada8cffeefb8efc267694e21eef96ae059b69aa3f1ba67461439adaa46b3b5db639c1fdb7f79650dcf5905220dce3c1af4bbbb8b440

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
337KB

MD5
2e6de8e5650e8d95a5ac66d4ac5859ae

SHA1
344b33df10c7b14cae9c31728c668a1f7b2c4b26

SHA256
d82eecbd030603a652125bbdccfa036c2321f43c5d30c561dede56c8a76dc88d

SHA512
a107a48e8e2acc59769e2ae8fc9096515f3be1f18513937243c6c8bb7a8cf43de2d56a74944c65270b616437bba6f6d08a2a6732fc265654bf544d4fa7379c06

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
337KB

MD5
4ec30d58c92ca3bba7deed6f1735c540

SHA1
05aad9731c50d239ac37685caa349880da24dbc0

SHA256
c1abaf1ae82b10dd06b439f573c1a7d981e23023b4dabd5866f10e48cec05561

SHA512
5c684105e32cf95f27ae98cc5fddf77736282c769e03a8d6332a7229dd6498f9ec84f0007a99ecf1e8c20092f80497e19234240d4924770e69a626c8f378e1c8

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
337KB

MD5
649de86d35b7302188435b6233bc057e

SHA1
5fae4fb68c1377b03c0e25911c34ddf984974e08

SHA256
96689152cd97de196ec066efb3b56919734848f8dda6cc60ced32919f3cba0d9

SHA512
3e05d7aaedafcb0f3bb0c7c5340547cd3e526f60b8cd13bfd71fdc9448969b200786d80f13549bfa860603682f529a703501db89b616f3ef1adea332620dc222

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
337KB

MD5
ef79b1ad936548aa0f6ab46f8e9843b6

SHA1
1583c72b6b9955694ae843594cfba75de2e91575

SHA256
ffcb2990ea9f960c565d7d0970aab4a2a6ab6189c539bad55dc80fa8fe9a88de

SHA512
2a72f28844aa9e45aa892f532c98689f5b0c93632a2cf01afc392e479f936c2478dcf5a6e5bb1838c3930b8a131dd2a25648aea168dd838b10f0d5ddc72579ee

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
337KB

MD5
6cb4e9a518d71049662f0eabb413dbd5

SHA1
83c536e3c7ab506693de41e130e96b74ce6f1a28

SHA256
aa80d84e9208caa3b5d827bdb4015ad960717e1f79af212dac87be8c58f8d321

SHA512
719e943e689e2a4e9770a05a90d0b6b3a9b93eafc398970d191c482d675f4485f2b85f00338ff8153f5b3becb9ea511364642007684f9fbb8fa83c2bdf9fb93f

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
337KB

MD5
6d0a3011575e871a90ef35ab6743176e

SHA1
71cfdb83e561d4ac88115eebdfe518d32284bf3f

SHA256
901e3ce88b472dcd59fd18397fd23a134c3b52a26b23ad9aef60823abd2c9f03

SHA512
b187e78e57c54a37c664971528b475e58b823980313f72e5a08da0a809dc57088f8884a360115a1b1bfdb7f54b977107523315ebb450e743b4eb6a6860b5f1c7

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
337KB

MD5
f5ad8a27db7cdf354a3728778d6ae3f0

SHA1
56411403a4b541b96eaf83f0b3d0c4ebf789dd15

SHA256
a7e83891cb683b9df723bfd5cc8a87a5cd69dd8f257044bdf65a006e05111099

SHA512
aa2d2bf8e849912446142d86f803e80c512f2f2023437ce03f1f04c8e3a301403e7e5b78fb1224d1567a729a23d96933d12780be84a42592a8ef9b26029d3eec

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
337KB

MD5
d6c5f105bb675244b28668c1fd3f9dc9

SHA1
20f676cf0980737ec8625e4c62a6eb7606ac132d

SHA256
bc48cd38630d52d1b4d23b834a974a0f95910edd74bb6bbabcdb238847b5794d

SHA512
6dd7faea877c8ef3481feaa02756bc446168bbfddf10e832d31a299aa98446be157605e342930698957ed05ee601e8689c2a880d08607c49e7d0e4ac2214343e

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
337KB

MD5
0c5b2a9a567d91a20bddf2af2d6a76fe

SHA1
6463e7f1f2ec4cb52b61cb6fec92c635ae1cdf64

SHA256
670ee34031268de74063150f0e9fccc0d6f377b509535ff74cbdb0bfa83a352e

SHA512
39b41b5e2195077c48fe96c08119bfca2838af7aa7d3621aebdba1b0f6544e2e6edf6c0d497ddfcfad7ee1f8bb1fc8fa0496b191b9566beb78dad78ae27a28c7

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
337KB

MD5
c6e0574b7552a06c864f41f82839d725

SHA1
0d1725ed83ebd140903abada3df6358a649d0d30

SHA256
b716ddde5118a71584d7655e8c7cbe7b44e363f34a9390b7491a7f3b5b061554

SHA512
8444acab148b626e6aab15a6787ecd5e05c4e7a56d53b91c21bf7ead4d197f75c0596280996f49a69b5f1167d41dcd312497b00a23ddf4aeb4cb8c82ed246262

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
337KB

MD5
4083f22ce7ab1f063bc6f5600def6b62

SHA1
97e5d74c8b8662239a4d9e8d4ddea8221837fe6a

SHA256
4c0144288bfe3dafb85ef21258f3b8434bd9e3b71eb7e48061d988105450cb9f

SHA512
d9e010714adedd358850cbd0df22d1a1fc838fb5ab73a4ff8faa920d658008b49ea354d232c755e2c1b07b6b2638cdeac922df4efdaf8757ad97c383830aeea9

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
337KB

MD5
92aed63cfbcacb2bb6459bd0876d12eb

SHA1
116d58e49786eb60e5b05d999a4b713625385b38

SHA256
9f1b8e8d79096fc38ceebdb0cd840a6a4861032a8f690c1498f03b1b4d21eab7

SHA512
68c9aa78ea218c1b1818204398f2ebc59e4869fd4d58658a81500df27f4c5646408025c7dac068b62d7564f1843987af914bf27f162ac15c725374098e9c607e

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
337KB

MD5
952051a0f2fa6ce07f145f86bfd68bb9

SHA1
3054baa133d4e5f6867d67b344108465a5c2ba5e

SHA256
92a22fb999e8ee6c236691648e01fffd13e7fa9500e0d36bb10fb053d2f1083c

SHA512
b3f906d999941d5bb8d38872adc09e3057368a8f44da970802ca708c1319f07e2b5a673c1b35a9a2a70893a2a904947b9d9ca25b895fd709b428787cf0c6f9fd

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
337KB

MD5
50df0ecfd1c3088cbf2110724ca7dd57

SHA1
fc463432ffe6e28d6f43367b8e0cd55e79e84b6e

SHA256
f3111a45ca970f2e725d3a7e685fbfb360066c23d0aa50666038fbe33ab0ce30

SHA512
bf4695740a868fec4390e6e5e56d14586ae7c63833b8c676ef13433a823d30eef4b053b2424f3b60604c861898da379e596c74fc9e08790a6b36a6232ec79459

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
337KB

MD5
2a6822e29d0bf80c3f90f355d7d7bc8b

SHA1
22fbf2001b4cbc5e52b76dc390083f62c964e50e

SHA256
b93c8ba63c40dd4f8d474b9f6d768a32947f963e13715d7a82a8ec2590bd82bb

SHA512
fc8d6b68f7b5e383fb4d5f4e347415b56f5e575746cf582ad02c01aa5fa2c57a70181858a17f5ccf99a771b2cd0338ec17ff71bd452dcf88c76d97d23c9f8e74

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
256KB

MD5
79bb7f9d04ea262f76a43e3cdf9c172b

SHA1
da74d79cce4048aeddd849692925a05f92408785

SHA256
cff366a19e5ce49fd818e550da738498407823ae2f8c3c4ed2367dfd63e2eda3

SHA512
c9a2fd444403270d5f1b133efd6cb2c702fdb2bf8919da716e377341e4f5342057289cc30c401cb60b118457e580869f18d2a3048a5dd9be73b66e692fa94b18

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
337KB

MD5
bef880cb4823eb0a23c1c240828ecccd

SHA1
cf5b6eba13f02b1775b5aaef5d89f0d5d9e8a9cd

SHA256
7d2661d7fc14be9e70d9d61982f49f3ef6e999201f6fb5463f7e3d419b10c436

SHA512
e8ff252d015bcc65f13d29a33ab8eac7256f0d6b21282e27935d58b529894f5589d1b9d84e3fe688e7e6376880109009e1d9623d79822078f9ad7bb1b45f58d1

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
337KB

MD5
e50965026d9e90c00683e3d53f00059b

SHA1
46a233e21126ea8e1a678d49166942500ea0ab37

SHA256
6c59dbbd8b6971398beca046de1d34bdc9c47b13d4f76440854010cf07b52b82

SHA512
a6ee02a8959111ef5c6cb1ab38aa7bd03a805a73472a54034cf92c60d793f39b06617c4d1339160123b5fce7f6579d0ff390ccbef0123ffaaa6281d03f931aee

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
337KB

MD5
679b14eb4075c822023cb4c28084e758

SHA1
0e6915d9c2e944a7f5959c1645ae2b588b6bf861

SHA256
24cbe05ded167cfeea9a8a0ae9ab67dcf7e6b87de58303936df514312b01e168

SHA512
3a64a4e62a1fd745d215a1706b33b85aeb90aa712bc022bf06a623435a58c57b19efb20b95ae5a5707966ae9a07c62400bb1bdc3c970a06f5597ce49b48be22b

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
337KB

MD5
5bc2d8db9e87b4fbc1e403903a770137

SHA1
abba08b86f04ea92b23f3bfa6fc5b73fa4f46860

SHA256
112d0c7b225ab7eb8b2432c4184b4fd19cbb4e0ed8e66c2e02f0cf7bc1287724

SHA512
b81a772f040fe8713eaf9fadc98559fe43f1f96d3c364388d9bccf18f55aa1c44bd360e8a2ea7bd092d177e4f5328ef401b5a0dc3ea9e11cf602fd54ffc7dd42

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
337KB

MD5
7797bcca084103112365ec8a7f3e2f4d

SHA1
4b64bd988102eef98920be93fe6e79a6b6498717

SHA256
e786d5b3d67ccd5c38e0f675c2156ab71373f0dbeca74f0a073f2bd3a2719a3b

SHA512
70245a972578bd0d21257bb5b78451fb2f26c0e529236d7b0db789aab31ea79068e35b395a5d82f4370accf141f5f51941f478531160a420b3d2b1779f48f8b6

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
337KB

MD5
f4531a20bcca28f90c5962ec6fa2dd04

SHA1
5882ab04c7d195134b99bf30b157f41f67d8f74e

SHA256
41166a8d8e40177cebe75d97f3410870f7dd41de68516d37e3f0887632c2b20b

SHA512
c86af189f292135596d1f3a25f111bb730d64b45061008fe56de87432752baf2323938aa87908c202fdfd481f608900d5bd6bfe3462e1e25b28b1781beddf806

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
337KB

MD5
bb50f03df60eecd839326cc056fab482

SHA1
76030d23ff0304c13a0a8480d25601e84eb80867

SHA256
ef692c33eb57a6ca03f9945fb82a256834a02433e7d04add7538e853b9b19920

SHA512
6bca13c20fadbd3f3ac308edd5562b137f8c4ac669a1c8a398b28ebcb8de7670c7b277b816878fbb915cb147653543fa0497b0c1177d787e1be2fca34914c550

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
337KB

MD5
a103c48de768040ae2ec02627fd0dc2b

SHA1
ac67b459fdd7e2d60837e9c8579e47127f5cc7fa

SHA256
0d6371fb391d14ced9cd0b6e9629ee22a2e2c9a8366a8dbc331a292be2a49f4b

SHA512
1d319fafb00c388e5e91aa55dd574d2a7ab11e977b72b509a073adb7b4b30035e85a70b130f9246c3e43304d9f93b94cc89fb9243f71d8e8287110dbaa5c882f

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
337KB

MD5
67f28960a169439c2eb5766127ea92ce

SHA1
af91b0f6c7189da6c7bbc9df6e4d5ae753773c36

SHA256
c13c815680e159c61b03e0fcf67dbc6b344578193272dcc559ef1c24b375c869

SHA512
a318d2e9bc0b2953c6d0d54a4953fc52a34513db4e0ee267a91861a23bf13bf9d7b8165c9455eb416111b84d209746525420c0b14d34b93aa1ba91079fe94704

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
337KB

MD5
ad9417bc570140abea2947943dca199c

SHA1
6f68470ce3731dac7f62fe0f41c594ad89f2bfa8

SHA256
b1b80108a8526fa76b27c902fa23cf22f79c43f15a6c06c937d0bd5d601a4f50

SHA512
e5d36727d0d09f4d4b645bcf14f63e0944b093acff729b03f45838c9a8b66dd7330f28908d76170c58459c9f99d12024f5ae4e3df9bf4e471847f91f4ed1ab70

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
337KB

MD5
c257567b20bfd9dc7f2f1d3aed57b38d

SHA1
9fd5d0140ef957a71a682c5c0a618732d8947e3a

SHA256
9e81bd2940a6eea10efbe38c2240b39408f6ad31b7aa2fe45190d87f2c77bf4b

SHA512
016254fd3321ca052cb6a110971338fd97ed23691c9125b1b233a7c5f9fef71ef5d9b96737282730670f97559b45eee937429d6b307d1b8870e089a364e55767

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
337KB

MD5
78136e2d734ed269ed2d7cdc2f7e3b3a

SHA1
957d5476c02d731b0723189fdb3e309f48158c2f

SHA256
c3361a6763cf06cf1b86520005bac2e4f8f0e501206a54317f1e7edba54df491

SHA512
7a75f38c532c229addf2479dd6e13fe501cdc97318520bd0f32db7c70415e60d6396363ae2c6eb99a529e23c1a0b5ed30bac395de81071067baa6eb7e8e22b9c

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
337KB

MD5
ea03b5ce7c6762595d63d0c94646ab17

SHA1
ebafdd4ef147c94ff4286f21b719b1bb37b40889

SHA256
b3db78825b4e88e86e06c315a6865b7a400928074baac795017d87947c08f84e

SHA512
5823874934129d3895f6d4088bcbf4758efea1ff2c79bdbbb1fc9617b20e60e1cd61d0a7769d5023a9af9261204eabea0b9abfee495fa3d689b8717e4bcaa4d2

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
337KB

MD5
9450b285a289ca1e0a3e8ad24acdf58b

SHA1
036f8122184dc39250baf19d909bc138b1ce07d2

SHA256
9accf1acc93250b811a48a28006160f98267b2d0d5f287e0720785dc1fd208ed

SHA512
6a074e74130e2ef891f152a85f0c4d21788f512ac0b8e00161910a46ad33ab4f7b6b7d97cb45372b08eeed7ec9a1f69fc5e7b41e3a712c95fd12a42f4e24d137

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
337KB

MD5
4449db70989093e7727e374e9948ffbf

SHA1
92e85209cee101b952813d5f56fe4cb43a0fa60e

SHA256
68fdacb390caa859d4eef520991a84708c1ea0188cbcc7a33b14f221645b372f

SHA512
3ae852dad4ed21ed1fa106a4daf93a0c5419924c0939b9af78c19c3f2b802a94df42c1a1668fe62181b126c22dfef601754210b51b2af491595b09b435dd7d78

Download Submit
memory/692-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3420-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads