berbew | dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe
Size

432KB
MD5

81eeb1a18f76ce8f9b9610d278007c39
SHA1

4df23d75eac960f763918adfe8ac0ec1e18e23f4
SHA256

dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe
SHA512

d8dab594d017e75e131f7029f1f58b241442488a2e488eee32af740198d4a7d0912c6b4872970cca94744e7c9eea50cd8577dd353ecd58fa323d7f08feb3d06a
SSDEEP

12288:Hx/Ndv1si//OVLCoooooooooooooooooooooooooYKiUNl:HRFpWVLw47

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
184	Olmeci32.exe
3504	Ogbipa32.exe
3412	Pmoahijl.exe
2296	Pdfjifjo.exe
4980	Pmannhhj.exe
4128	Pggbkagp.exe
1312	Pmdkch32.exe
2876	Pflplnlg.exe
2996	Pmfhig32.exe
1564	Pdmpje32.exe
712	Pnfdcjkg.exe
3364	Pdpmpdbd.exe
1212	Pfaigm32.exe
4976	Qmkadgpo.exe
4204	Qceiaa32.exe
2152	Qnjnnj32.exe
2892	Qqijje32.exe
4432	Qcgffqei.exe
2684	Anmjcieo.exe
4116	Ageolo32.exe
1380	Ambgef32.exe
1924	Aclpap32.exe
1620	Ajfhnjhq.exe
1920	Aqppkd32.exe
1152	Agjhgngj.exe
3068	Amgapeea.exe
3340	Aeniabfd.exe
2236	Aglemn32.exe
4460	Aminee32.exe
1388	Aepefb32.exe
564	Bmkjkd32.exe
1196	Bfdodjhm.exe
1716	Beeoaapl.exe
2372	Bffkij32.exe
3696	Bnmcjg32.exe
3180	Beglgani.exe
1640	Bmbplc32.exe
2616	Bfkedibe.exe
4700	Bapiabak.exe
3228	Cfmajipb.exe
1720	Cabfga32.exe
4172	Cnffqf32.exe
1896	Cdcoim32.exe
3300	Cnicfe32.exe
2944	Ceckcp32.exe
216	Cfdhkhjj.exe
5028	Cnkplejl.exe
2136	Cmnpgb32.exe
4692	Chcddk32.exe
4260	Cjbpaf32.exe
3264	Calhnpgn.exe
2040	Dhfajjoj.exe
3744	Dopigd32.exe
868	Danecp32.exe
2404	Dejacond.exe
660	Djgjlelk.exe
4728	Dmefhako.exe
4568	Delnin32.exe
2256	Dfnjafap.exe
5104	Dmgbnq32.exe
1932	Ddakjkqi.exe
4400	Dfpgffpm.exe
2408	Dkkcge32.exe
684	Daekdooc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1108	3936	WerFault.exe	152

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 184	3792	dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe	83
PID 3792 wrote to memory of 184	3792	dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe	83
PID 3792 wrote to memory of 184	3792	dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe	83
PID 184 wrote to memory of 3504	184	Olmeci32.exe	84
PID 184 wrote to memory of 3504	184	Olmeci32.exe	84
PID 184 wrote to memory of 3504	184	Olmeci32.exe	84
PID 3504 wrote to memory of 3412	3504	Ogbipa32.exe	85
PID 3504 wrote to memory of 3412	3504	Ogbipa32.exe	85
PID 3504 wrote to memory of 3412	3504	Ogbipa32.exe	85
PID 3412 wrote to memory of 2296	3412	Pmoahijl.exe	86
PID 3412 wrote to memory of 2296	3412	Pmoahijl.exe	86
PID 3412 wrote to memory of 2296	3412	Pmoahijl.exe	86
PID 2296 wrote to memory of 4980	2296	Pdfjifjo.exe	88
PID 2296 wrote to memory of 4980	2296	Pdfjifjo.exe	88
PID 2296 wrote to memory of 4980	2296	Pdfjifjo.exe	88
PID 4980 wrote to memory of 4128	4980	Pmannhhj.exe	90
PID 4980 wrote to memory of 4128	4980	Pmannhhj.exe	90
PID 4980 wrote to memory of 4128	4980	Pmannhhj.exe	90
PID 4128 wrote to memory of 1312	4128	Pggbkagp.exe	91
PID 4128 wrote to memory of 1312	4128	Pggbkagp.exe	91
PID 4128 wrote to memory of 1312	4128	Pggbkagp.exe	91
PID 1312 wrote to memory of 2876	1312	Pmdkch32.exe	92
PID 1312 wrote to memory of 2876	1312	Pmdkch32.exe	92
PID 1312 wrote to memory of 2876	1312	Pmdkch32.exe	92
PID 2876 wrote to memory of 2996	2876	Pflplnlg.exe	94
PID 2876 wrote to memory of 2996	2876	Pflplnlg.exe	94
PID 2876 wrote to memory of 2996	2876	Pflplnlg.exe	94
PID 2996 wrote to memory of 1564	2996	Pmfhig32.exe	95
PID 2996 wrote to memory of 1564	2996	Pmfhig32.exe	95
PID 2996 wrote to memory of 1564	2996	Pmfhig32.exe	95
PID 1564 wrote to memory of 712	1564	Pdmpje32.exe	96
PID 1564 wrote to memory of 712	1564	Pdmpje32.exe	96
PID 1564 wrote to memory of 712	1564	Pdmpje32.exe	96
PID 712 wrote to memory of 3364	712	Pnfdcjkg.exe	97
PID 712 wrote to memory of 3364	712	Pnfdcjkg.exe	97
PID 712 wrote to memory of 3364	712	Pnfdcjkg.exe	97
PID 3364 wrote to memory of 1212	3364	Pdpmpdbd.exe	98
PID 3364 wrote to memory of 1212	3364	Pdpmpdbd.exe	98
PID 3364 wrote to memory of 1212	3364	Pdpmpdbd.exe	98
PID 1212 wrote to memory of 4976	1212	Pfaigm32.exe	99
PID 1212 wrote to memory of 4976	1212	Pfaigm32.exe	99
PID 1212 wrote to memory of 4976	1212	Pfaigm32.exe	99
PID 4976 wrote to memory of 4204	4976	Qmkadgpo.exe	100
PID 4976 wrote to memory of 4204	4976	Qmkadgpo.exe	100
PID 4976 wrote to memory of 4204	4976	Qmkadgpo.exe	100
PID 4204 wrote to memory of 2152	4204	Qceiaa32.exe	101
PID 4204 wrote to memory of 2152	4204	Qceiaa32.exe	101
PID 4204 wrote to memory of 2152	4204	Qceiaa32.exe	101
PID 2152 wrote to memory of 2892	2152	Qnjnnj32.exe	102
PID 2152 wrote to memory of 2892	2152	Qnjnnj32.exe	102
PID 2152 wrote to memory of 2892	2152	Qnjnnj32.exe	102
PID 2892 wrote to memory of 4432	2892	Qqijje32.exe	103
PID 2892 wrote to memory of 4432	2892	Qqijje32.exe	103
PID 2892 wrote to memory of 4432	2892	Qqijje32.exe	103
PID 4432 wrote to memory of 2684	4432	Qcgffqei.exe	104
PID 4432 wrote to memory of 2684	4432	Qcgffqei.exe	104
PID 4432 wrote to memory of 2684	4432	Qcgffqei.exe	104
PID 2684 wrote to memory of 4116	2684	Anmjcieo.exe	105
PID 2684 wrote to memory of 4116	2684	Anmjcieo.exe	105
PID 2684 wrote to memory of 4116	2684	Anmjcieo.exe	105
PID 4116 wrote to memory of 1380	4116	Ageolo32.exe	106
PID 4116 wrote to memory of 1380	4116	Ageolo32.exe	106
PID 4116 wrote to memory of 1380	4116	Ageolo32.exe	106
PID 1380 wrote to memory of 1924	1380	Ambgef32.exe	107

C:\Users\Admin\AppData\Local\Temp\dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe
"C:\Users\Admin\AppData\Local\Temp\dc2e4fa9ec97dd05831983c860c0b9eb391fb8dddbd487d5ab752b0e87471ffe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\SysWOW64\Olmeci32.exe
  C:\Windows\system32\Olmeci32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Windows\SysWOW64\Ogbipa32.exe
    C:\Windows\system32\Ogbipa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\SysWOW64\Pmoahijl.exe
      C:\Windows\system32\Pmoahijl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 408
        69⤵
        Program crash
        
        PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3936 -ip 3936
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
432KB

MD5
b263151c9a0b38c2d2c4f53b23e9290a

SHA1
3417e33f14e0da8e013e2de442e62abe697739a3

SHA256
a3281e7c2f63ed07f940694a0a44be01aaa1c2ee090754b908a50cc6da189a7c

SHA512
21b9d74c2d792c0e52c892035c4b73b4a4474e7fb0e8e1556a8d35337725a0240bcd76e66fcd0d44d113d4515f52cd0c7e3035973b24502694193710d0629fe3

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
432KB

MD5
ae7f8000cb9ee3570eecad1fb8b3c520

SHA1
96c81832678beebeaa42d3ace988f01602af084e

SHA256
21a5038d71e491caaf977df1a00e39004daccb55f37fef8105ce7bd1b639bbb0

SHA512
865948539ea539162887bda90d4751417cf231a905a9f890fc60db1bb93efbe344b5fad1ddb703889a041faff735a12b199fd16ab46a742026ed78566f880373

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
432KB

MD5
a98275afc7cc5087b5c29585b2957e7f

SHA1
72f7c6a4452a058fb67c85873d6552406f1f7684

SHA256
cfaf62d37a63afda2e821a37342c1639a0e0a56f0c772590831ddf1845fb5d0d

SHA512
808c6545772fb551f73f67ce4593d1c3d299ae88d710a11a95e50799b7abcc088c93ede85f15265fd0b59c4eba84ee17e4d441d90c11c94b9e231b1753cda863

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
432KB

MD5
1772e80ee964db7e567c1dac17231240

SHA1
ec00da1cb2ddea87b3a6c713130397e599879637

SHA256
8501aa201cda7573fca4d5d3455d62db66f121e6a6058bf5e5d414bcfb1fbd2b

SHA512
d556c013b3f90c30804b4b3c60ba84317a734d0a9e57e1a8a4e08b45920b5dcd1ca5892ff2bd8fced9534bb502aa454c2d343378b693ee60acc3a865b54dc6f5

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
432KB

MD5
0fe09c089e693e11bc76de036cc1e996

SHA1
db3573fc8052766daa39db879775bbbbfc41a1a4

SHA256
46f499feaf4db7cb15cd66141c31e755bf1423437c721f0cd02736eda80377ad

SHA512
8659fe1dd5169d0954cceda4637ddeab44691b22e5910bb0a54781e615a2d557d773c8199157e82fc0e7be0e1a4e235df35ea463452c75b685c733fa48741774

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
432KB

MD5
3d6e2eb944c076a2c991a1b478cd141a

SHA1
ae61ccb4ecd45a248df02f6ccba9e2e27e5e92a0

SHA256
01bbd086bb15b945bbe87d755c87ac6bb6e0474215458b8793d3ee8cf9d9d725

SHA512
276a2a3b248e3ce101f5e2193da51daefcde388f008b9a06ae1c0153e85396dfd6f5a891217311357247e13021a2d31040d64ae5c5ecb13168343bebcc7dd467

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
432KB

MD5
7543a913c0a5c55957b6a7419a73a3a7

SHA1
41270c8db1947b1e8e9ff5b7f757fe1768128b7e

SHA256
c05060940dfe66daea7768d1e51eadd3f3bc34eef4a7013aed861c7c9278e714

SHA512
41f12a8078bd6d4437fcf03692f2e2de2d40aa1fa77854fcc921d1841ef93b2facafbb6ced52c268e1adf2f29c1e5472ddc156f7a9e5c2b466426310b899d5b5

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
432KB

MD5
6b4c6754fa3ce5a85547bfac1fbad91f

SHA1
3d73ce7c6b5d29dccaae0362922defd4a8814ec3

SHA256
a5f71fcbb5e6d6bb5f3626f3675e4c1600429e3226ab71ee46d7bcd171693c22

SHA512
15131f86538639c7496d9a797b714671f4eab52ea1f1365605ad6adacc1ebfb58933681f9ce35eb0574a77f0d37fe95d67fc20cf9dbf0f98d29b7ecf84dfb3a4

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
432KB

MD5
8947adfc5aa316d9e076de3a88eb336b

SHA1
82d93b254508ae8d48f6d75e54606a9d9bc12325

SHA256
4794b56a73de2a9e9a027b855a701a04eb4f9e57ace42fca362633b9694c1726

SHA512
fd8804c0109a5dbcd67f63be5c853951b3fbf0149c7e9bc3137eac1723aad45279b7202cbbd1c859f4aed89e9550a48da150af21a422eb58302250e3a9b35be8

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
432KB

MD5
115d2f0ccaa668edb788ec186dcbf20b

SHA1
8c5cb321133fa02aaf6f48aa3a09a2d8e47e072f

SHA256
ceb14ff1221873ff57a4a0d57d0608577b8d7cdd31a0060dce445fb1847a97fe

SHA512
9d72559b44ff1f072b81024ca73cf51ef76c2eec55a22dce22fac2b0fd7adab2adbaa0b30e35c2737aac72c45d430e23b42531b4d480ee4c7b735e152e1bee83

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
432KB

MD5
39eda4c474b8142cf5f01a8148c80b3f

SHA1
05a3487e03aefed706fc6f694340090774fea44a

SHA256
440704986993a0737a100f94e43ed20e95e9a15ee0a0f728fe7fdb60a1d77f1d

SHA512
1154f7e0f97013f5bdfb3fdbb58ace7c23634a2988d522ac5c6bb65356ffc3690e1e303129f7cb4da071bc27be1db0c7b073e64164c6045463ab623ef3b7f878

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
432KB

MD5
1fd1097c9be102fa46595a115c27b635

SHA1
cc92282837d30027dfa897dee0471a7099c57416

SHA256
cebc86773b3bc1d863321eb68d922513b45a3c39e285bb4cda984ee3484ccb66

SHA512
bf6846a9568c8f84ea0fc226a54fde39f289071b5777319c892e0ae920544fb026f898370cc57032e255d478c45032eca8b2df2bcf1db7d6738cae3d5d9b7108

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
432KB

MD5
3694e1bdc2a1c3a29705e934a0ff8ead

SHA1
dc3abf0dbe989bf94febdf8cbaa08956fe79433a

SHA256
4c04f2bd0ce6324f03e9eb0525a25a3c6975a60447551af7e37fb70109a82384

SHA512
da4341f0ed634b4705aaecb4f7ff027a997eadecd77a4c6376f5d2f28dab2801652af62cbb44d570666a2adb3c6ade16f905f19c33ab9555d35d7ba52e92d8b4

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
432KB

MD5
6b334c44f7a02c678beb769a18efcf9b

SHA1
38f2c26ed0fbb3584712ecd59d21def7d8c17d44

SHA256
77cb7463667a10dd8c6f302e1b65f0f46d3ba7c7f6f93d24dad4c1435f1ea702

SHA512
99e4c4fabea3824419e45d42191ede6a26fac260d9b38c7782d7745ff15830e42b085c72f97e752e7ff7e4c7752ce5f3c08c4a9e77742853a66835a6fe74366d

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
432KB

MD5
0bcca0f9465b809753a25a0d34f02148

SHA1
e4cd8b11bffaaf4823bac73c1e859dfa2c9316ad

SHA256
f4295f27349cab074803b98e3a7552aab2adb718c3e2357c07d66e1343528f67

SHA512
40fdee4aefdb523837435549fbb7cbf9c654f04c9bba8e9ef4ddaa20c465c8e54f6803b445f7cb4a69e815fd757af9075e46ab2426f4418bfa21b01a16015b39

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
432KB

MD5
f1c2c4ec576b68e911f064cdb09eb7e3

SHA1
5db391b51f8aa39d61388372db25c80d9d0eff33

SHA256
6e0cfce13eaaf9bbe0081b0715c2898d40f3e47093a4f337f3f8c380fdc2ee9e

SHA512
4d358a61da29c84ef3ddfd0e3a60116aa9175853fb54f8df769f87976e9befdf843b94fd8a397310ea17ea4bb77cc39c2d19b505a4375cf0471e253840a78aea

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
432KB

MD5
43c54a2d9a983cea547d2211ab09b4ee

SHA1
db61ac45001b56bd61cd10a2b63678834f369a04

SHA256
96d04d4535bde738c60af7a5bdb279ad2af8ef329a7d22c925453860b996f036

SHA512
d2c06b99194a0225427cc5585cbff53794e80b7991e9637a8c1cebe41088186d99bf66ba319aa18090ee925211d3e141f10026a3ae17147e258edfa04fcdf9f0

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
432KB

MD5
d29b1fcafdb08f579ed31980d7bde249

SHA1
9d9490e27bbe0c7a687210987ee39f70c69c6b1f

SHA256
a79d46ce3e2f38f9aa877c5713a96f2335c9f0b84dff85fdc20a78252d0be887

SHA512
8731a6c73a18a157450be55b16326e44b03f430f008b55984533cc4c0e6f8400de2fd05592a86db32c3f09c5e73f702826babf86060503a5ac67412b50a5171c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
432KB

MD5
d9931ce3f82cd000cc411b2a9984bf09

SHA1
400cea07348c31bae351273b3105d700b995542f

SHA256
7cc9a351e6457bce8d8780ee49470dbe33605be6dacf5a1720e4719de9af35f5

SHA512
18cc83d1bb4ff74c68c5f8688d0a5e09de828c73f420c4f0ab9f817c88abc38a85dd0db36490d102d17707eb3fd0d4547710eec8271c5b36cdc8070cf9b1625a

Download Submit
C:\Windows\SysWOW64\Hdoemjgn.dll

Filesize
7KB

MD5
1d00759049fb4e3a46b7382e6eb4b643

SHA1
a0f61fdd1cad99e37da4e639ff3c1dcae99cc258

SHA256
cfe84b9ff3f9f225d8807ab6356e86a25ee21b665144593937eb016da9d250e9

SHA512
b9ade04012941b7de7c918073a70692c9405893d4963350d3f00dd70e018660506dfd09d4ec64bacf072d399568f9f074a66984aee1fdd906db6882126c0cf21

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
432KB

MD5
a7e42c8bb0853b2ca43a6c1a01fc9b5d

SHA1
1b53664ef68ccbb1cbdd16b8483b2837b624a141

SHA256
d9058b609aa07df52d50e6c9a88e7e22be7888424605369b21e211d575b9abca

SHA512
b19c252acc2e9ae0d3c292f3bb7158db8a8a0ba638947b0afc84d3f18b06cc6cd74ed1ab6630397eb429d8c8950f75650fcddf83e9332beb8c114e4ad0a1d912

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
432KB

MD5
6417926d30f5545c9207e0e53bfc7df6

SHA1
a7b81867a9e59a4fc462b86f4e3defba91c0416a

SHA256
c0d8109e621f7a8f0dd5c62cf4b1c90cb20972fcff3b8a3f62e7735c03fa8c62

SHA512
97be33c841b3b148d0791e5bc3308be7d6343ffe31fe3c56d8dfed57fda8e77f2b6225d1e37c23576e50c4dd71421b00fb201332a3eaef5e064af878806796d4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
432KB

MD5
9d3a2c4fb2b108b5d476ad6255ba3f59

SHA1
418bcf3f9e8c6bee22249ecb65d9cdf0a8f4dd0c

SHA256
b85978447c0ce7625e7a9c5eb250b7fed64239348a85d4e8ac239f17c1c96ac2

SHA512
df735787bd6435aeb1c234f3c0dd6e38745e89555e85f5d2ae6dac1281ce2d5309520fd25020d3c8ad5e7525491508e133de8197d92d5a82856634c21f9139a3

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
432KB

MD5
a3b89766ffd0fa71e0601c8fb4905ec5

SHA1
01ac233e1f35ce84ebe67e72c7609015684b72ed

SHA256
e5177a09b2b28401d3da332e06ae8fb9197c95a1ff60fcb0fa18d697f8198719

SHA512
71994dabfea5322f7f3693ebfcf030638a52277137c46920ea23b34acbb0bfce5625b8bcd7ce51ad423ab8956efb2c626b8fb786d7280c3d8f2f5ff13cc8a84e

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
432KB

MD5
6745224ae6e760acbba1bea5f8c14af9

SHA1
ee79b2c7dd2613aaaf5e6b977da74f87fdddb88a

SHA256
ef3dff2f6a6e4fc37a5c9567d43c0ea7291bed9b8113efd6185815eac98e7db8

SHA512
c1512b126b4438359054fb4a261ec7cd635341d1ea810890c762c5cde2cdd45b0288c1974d6d2e7ecc4bfa1318d19dc6a54e77075e2da360f7d21112489b307f

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
432KB

MD5
89f4a0c21ae8b9e3de0a32168e7ac5ec

SHA1
978a30afd08c51a786a7421e861298a80baf2e66

SHA256
c630576a8f9bf1dde89dc9e9b4fbcfd89f83e2695ddb0476d1856ce5623810e1

SHA512
1fae89ec109c79956a1fcfa273893bd4f715e9559400dd5ddb7ff93b15fdc8fba4a20b99a421fa6dd4766d378bb66cd42610c3e74a206977caf00a22170d73f4

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
432KB

MD5
62f537064362d5e4bdb2b81753e4a746

SHA1
4fc8c6594e7e4193ccdf5632e50b4f1c9deb1205

SHA256
e4a19d2691bbf4728b73e39f767fea2533631b1d30cc8864dfe8b239c3010bda

SHA512
dca1487f27a52ce533dda95d0c3e78786c5f2a95fb95c5ed0149ce6ad7251711030a7d779517e657ad54a81497713f82d63180c1193bd69ed0cb9976e41251ff

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
432KB

MD5
0193d654df3925b9ef046dfbe0206c18

SHA1
16b5c93a7af93b272bbb3e8a4a39225a00d3cbc0

SHA256
0aaeac80ef58a071da74108f45a9d4c7c1a1198346cf5e5c7de7cf66f785bb71

SHA512
7b0e6a24454156bc224942d8b89f9c2cc51ebd5af6dea1074f8018ae1d5cfe4a4015f0551ffa8c389633f88ac247e4b90a1801323822bf0d424e4513927082bb

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
432KB

MD5
4243355ce869ae755c903c7ac6f97862

SHA1
2e541ca21b3dd9daeb232a745c1f49695768d06c

SHA256
21cf0feb0d48bb45f04b7afa1e9582437ffe63b22004774d58f065b5625b1029

SHA512
cca88d7233052db146221731ca0535bb266bf4ac1224a25ba9e81bfdadc142626fda7139b10b8200a481404ecb30b63d7ffcf6578db76f940f295cdaac5a6727

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
432KB

MD5
406d7b2495142e4d889179fcd4dae2ec

SHA1
a0159cccb78a4e3bfbb361dde5b24936f9cb57d0

SHA256
caa94ae31843c9eb854149022bb7dba1f875fdfc9e2c56b2c37db3748d5f27a7

SHA512
af429711b96181f9bcf75200f6d3404db8ea83036d9472ee92f566fc2f05569bbf902757b2ed6dfce53e439e3f4535f2da336cb230d46f3d56acf1958bd8bc50

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
432KB

MD5
372b4518122b8e5d14e1a97f18d1f998

SHA1
e82d7b3c00ba7d0cf0dfa093e7f3cea1d1ac1726

SHA256
bd12054d1c0cdacf8a32a1d399bc2ceed682636734a15942171f2688c5fc5b80

SHA512
038b429a612c09d61463b331bbd4e4291576b3b0f3e76b91f0f47bdd892c62883c4d3c4d6d5a7472287e613f6fc1fdba9c73ff93f6cd8ac7f986d1cf255a3d77

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
432KB

MD5
cd1aa58ef812524adfeefc95a7e0b38f

SHA1
ad0d8549df842807727e485fc3f018488b9ac77f

SHA256
ff11f773a43e526ae27dd0d338aa863ce99aa95b911a63b2ee52fae929a38ce9

SHA512
9c82d7c9f4541d922fde8dea0bcd9e35856e31eb320cb8531d18100f4be3dbfe971c29ea4faa2e7298c39c36bfae240702d298fd0338ebee6b0a5275a4e864a8

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
432KB

MD5
0833741ac7b098c386d74cb54dc3dd46

SHA1
42ba51766a6784bbc3b242a526c8c4e350456872

SHA256
62286c86a541cab1aedd6b45fbaa4b3ddbf181cd41eadbefeb1f4ede94edc4ca

SHA512
8cde351fd29e54844ef9c29bd6f6940188b50252ca7c79932845a8b7a8e9e127258bbb14933164a3ff4dbc23b3fedd100e5bc05b7f7dc89f91f1eb37d01e871a

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
432KB

MD5
64110802fd493d75d9ffd85a90427204

SHA1
2f1ba06028bc735426bcd26931842beb1262bcce

SHA256
bd04f41e39e4f4caefae93f5640076abd38c0b05ad662adb068b886c055f31dc

SHA512
1e442dd61ef74799c19ade37230c3305dbc367e5e8c02b9702c90d0d2f02e65cadbfc0bfecb3640838335c66bbcaf0966ea0472f0265b2517a85c370f11330f5

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
432KB

MD5
7f7c31a054c3730c60b7a8ef9e28ae5e

SHA1
d96633224fa2562d9f99ad8e6921c7f511320706

SHA256
88927d2616a335d692a35a3c261f98233e6dc1a3240ca600296ac49d36a7e9a7

SHA512
92138c92f79546ad5b2fb45a74b8354880ab867233a6712735d003805af05f7d98446b7892009bbac0fee4884ceb9d1464cfa15fa68c9b803cb541271204eb98

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
432KB

MD5
964054146c76181e8a6cec4e9b9bbcb4

SHA1
fd5c48ed89a01d157af6615754c8618d2f9e7e5b

SHA256
07f1e8242215918f492738ff4109cfbaf3e7e0d187eec5646c01e157292d08db

SHA512
fbd757b5f4c9c0ac79d2bb145f2ba9a78aa8a68d1be32a14a254b9953c63e42f394948e9efc034f0dacdea487d5f65a78ecf2898943867ccad043ee6822e6b5f

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
432KB

MD5
0ca1d8213bd07c5e32584452299a8e9f

SHA1
eef51d376e44bbeadf3be976e47addd02dd11501

SHA256
4d3a58a431cc0a49b4dc4e069dd15dc47318968930d61b7192ddeba7be53edcc

SHA512
cc3244e3a5328a8df691c26901a8efe2d9e0b7571bb123bbc533ce341c0edb9e6bb0c466fafbf205e9cdb05e9f5807462c25024748590ab4cf9987b61883f262

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
432KB

MD5
da877e19c523ce7646ef0e88d4a8dba5

SHA1
4ad7522dd22999ea994cd21985ba8b9e9603597f

SHA256
64b188fb611f037bbc84ccc05cf62211df1c5c83489e68498a4e49936e16d382

SHA512
4580b1893501cfac0ccee611b3539d5d3feaad583905d40fd8d9777db6bd693bc23e672fead0ccabac0f456da954bc302ab1a3d0e8c94bd128d67cb950736d48

Download Submit
memory/184-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads