berbew | 70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572c

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe
Size

45KB
MD5

84f25b016e7917b2c50eb1e566963040
SHA1

3093a79d00feb0824a8e59a653300027671dd536
SHA256

70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572c
SHA512

4ae57cb4c4f91e88f0f8fe09ecc371e5049f8bda1c74f31ef2f4cd83c6892dfacf1e39df606bd075d3ac75eb4f74fd3ae478e15d73d1eaef734c484f9d3449e6
SSDEEP

768:gWpAKbtmGQt6BFoqciGEs0oRVzb06L3lg8qxcF4UMbTTfh49H4YqL/1H5Z:g9KY+1GEspvgvbHGoT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4496	Pncgmkmj.exe
3704	Pqbdjfln.exe
3412	Pcppfaka.exe
2212	Pgllfp32.exe
3268	Pfolbmje.exe
516	Pqdqof32.exe
4292	Pdpmpdbd.exe
2440	Pfaigm32.exe
716	Qmkadgpo.exe
2012	Qdbiedpa.exe
4600	Qgqeappe.exe
1280	Qfcfml32.exe
4636	Qmmnjfnl.exe
1164	Qddfkd32.exe
2608	Qgcbgo32.exe
2060	Ajanck32.exe
4036	Ampkof32.exe
228	Acjclpcf.exe
1472	Afhohlbj.exe
4840	Ajckij32.exe
3464	Aqncedbp.exe
1604	Aclpap32.exe
4996	Ajfhnjhq.exe
4668	Aqppkd32.exe
2580	Acnlgp32.exe
4556	Agjhgngj.exe
4024	Andqdh32.exe
4396	Aabmqd32.exe
3980	Ajkaii32.exe
2740	Aadifclh.exe
4260	Accfbokl.exe
2128	Bjmnoi32.exe
372	Bagflcje.exe
972	Bcebhoii.exe
1880	Bfdodjhm.exe
1544	Bnkgeg32.exe
4432	Baicac32.exe
3764	Bgcknmop.exe
2736	Bnmcjg32.exe
2456	Bmpcfdmg.exe
1108	Bcjlcn32.exe
4052	Bfhhoi32.exe
3284	Bnpppgdj.exe
5116	Bclhhnca.exe
3232	Bfkedibe.exe
920	Belebq32.exe
4744	Chjaol32.exe
2996	Cmgjgcgo.exe
4348	Chmndlge.exe
4860	Cnffqf32.exe
3368	Caebma32.exe
3424	Cdcoim32.exe
3196	Cnicfe32.exe
3556	Cdfkolkf.exe
1632	Cfdhkhjj.exe
3488	Cajlhqjp.exe
4156	Cdhhdlid.exe
4892	Cjbpaf32.exe
4944	Calhnpgn.exe
1412	Ddjejl32.exe
4624	Djdmffnn.exe
2984	Dmcibama.exe
3796	Dejacond.exe
1516	Dhhnpjmh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5140	4520	WerFault.exe	163

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4496	1684	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe	84
PID 1684 wrote to memory of 4496	1684	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe	84
PID 1684 wrote to memory of 4496	1684	70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe	84
PID 4496 wrote to memory of 3704	4496	Pncgmkmj.exe	85
PID 4496 wrote to memory of 3704	4496	Pncgmkmj.exe	85
PID 4496 wrote to memory of 3704	4496	Pncgmkmj.exe	85
PID 3704 wrote to memory of 3412	3704	Pqbdjfln.exe	86
PID 3704 wrote to memory of 3412	3704	Pqbdjfln.exe	86
PID 3704 wrote to memory of 3412	3704	Pqbdjfln.exe	86
PID 3412 wrote to memory of 2212	3412	Pcppfaka.exe	87
PID 3412 wrote to memory of 2212	3412	Pcppfaka.exe	87
PID 3412 wrote to memory of 2212	3412	Pcppfaka.exe	87
PID 2212 wrote to memory of 3268	2212	Pgllfp32.exe	88
PID 2212 wrote to memory of 3268	2212	Pgllfp32.exe	88
PID 2212 wrote to memory of 3268	2212	Pgllfp32.exe	88
PID 3268 wrote to memory of 516	3268	Pfolbmje.exe	89
PID 3268 wrote to memory of 516	3268	Pfolbmje.exe	89
PID 3268 wrote to memory of 516	3268	Pfolbmje.exe	89
PID 516 wrote to memory of 4292	516	Pqdqof32.exe	90
PID 516 wrote to memory of 4292	516	Pqdqof32.exe	90
PID 516 wrote to memory of 4292	516	Pqdqof32.exe	90
PID 4292 wrote to memory of 2440	4292	Pdpmpdbd.exe	91
PID 4292 wrote to memory of 2440	4292	Pdpmpdbd.exe	91
PID 4292 wrote to memory of 2440	4292	Pdpmpdbd.exe	91
PID 2440 wrote to memory of 716	2440	Pfaigm32.exe	92
PID 2440 wrote to memory of 716	2440	Pfaigm32.exe	92
PID 2440 wrote to memory of 716	2440	Pfaigm32.exe	92
PID 716 wrote to memory of 2012	716	Qmkadgpo.exe	93
PID 716 wrote to memory of 2012	716	Qmkadgpo.exe	93
PID 716 wrote to memory of 2012	716	Qmkadgpo.exe	93
PID 2012 wrote to memory of 4600	2012	Qdbiedpa.exe	94
PID 2012 wrote to memory of 4600	2012	Qdbiedpa.exe	94
PID 2012 wrote to memory of 4600	2012	Qdbiedpa.exe	94
PID 4600 wrote to memory of 1280	4600	Qgqeappe.exe	96
PID 4600 wrote to memory of 1280	4600	Qgqeappe.exe	96
PID 4600 wrote to memory of 1280	4600	Qgqeappe.exe	96
PID 1280 wrote to memory of 4636	1280	Qfcfml32.exe	97
PID 1280 wrote to memory of 4636	1280	Qfcfml32.exe	97
PID 1280 wrote to memory of 4636	1280	Qfcfml32.exe	97
PID 4636 wrote to memory of 1164	4636	Qmmnjfnl.exe	98
PID 4636 wrote to memory of 1164	4636	Qmmnjfnl.exe	98
PID 4636 wrote to memory of 1164	4636	Qmmnjfnl.exe	98
PID 1164 wrote to memory of 2608	1164	Qddfkd32.exe	99
PID 1164 wrote to memory of 2608	1164	Qddfkd32.exe	99
PID 1164 wrote to memory of 2608	1164	Qddfkd32.exe	99
PID 2608 wrote to memory of 2060	2608	Qgcbgo32.exe	100
PID 2608 wrote to memory of 2060	2608	Qgcbgo32.exe	100
PID 2608 wrote to memory of 2060	2608	Qgcbgo32.exe	100
PID 2060 wrote to memory of 4036	2060	Ajanck32.exe	101
PID 2060 wrote to memory of 4036	2060	Ajanck32.exe	101
PID 2060 wrote to memory of 4036	2060	Ajanck32.exe	101
PID 4036 wrote to memory of 228	4036	Ampkof32.exe	102
PID 4036 wrote to memory of 228	4036	Ampkof32.exe	102
PID 4036 wrote to memory of 228	4036	Ampkof32.exe	102
PID 228 wrote to memory of 1472	228	Acjclpcf.exe	103
PID 228 wrote to memory of 1472	228	Acjclpcf.exe	103
PID 228 wrote to memory of 1472	228	Acjclpcf.exe	103
PID 1472 wrote to memory of 4840	1472	Afhohlbj.exe	104
PID 1472 wrote to memory of 4840	1472	Afhohlbj.exe	104
PID 1472 wrote to memory of 4840	1472	Afhohlbj.exe	104
PID 4840 wrote to memory of 3464	4840	Ajckij32.exe	105
PID 4840 wrote to memory of 3464	4840	Ajckij32.exe	105
PID 4840 wrote to memory of 3464	4840	Ajckij32.exe	105
PID 3464 wrote to memory of 1604	3464	Aqncedbp.exe	106

C:\Users\Admin\AppData\Local\Temp\70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe
"C:\Users\Admin\AppData\Local\Temp\70ebddeddae1351fedb56932b99d4ee7c570284d95170960581c26e781e6572cN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\Pncgmkmj.exe
  C:\Windows\system32\Pncgmkmj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\Pqbdjfln.exe
    C:\Windows\system32\Pqbdjfln.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\SysWOW64\Pcppfaka.exe
      C:\Windows\system32\Pcppfaka.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        43⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        44⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 396
        79⤵
        Program crash
        
        PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4520 -ip 4520
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
45KB

MD5
1a894b15a0568f1714e3e84b661a252b

SHA1
2f8cb15031e41210ea55a7ff31acf5cf0b68c734

SHA256
a8bf1c20178fb6b391cc921b202497e14b3f8b84865df6f8be543fd3d9e33768

SHA512
afeb4cbc05784cb93c2043209d54dc5dc209cb08a76855589242a6391fb7d22933e13ffa44ddd2161fad5ffed69dffb06ee1fdf5f043dba4958456ada0707d67

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
45KB

MD5
742c2fe63fc50438d2dd8b1bba6fd242

SHA1
301fb77dc28da93e53ec2efa24b38d934d5ff71e

SHA256
f1f9a69fce71f0fffb97f468ceaab6771cade761ba9d2948a197481fb862b5a4

SHA512
d4601b32e4204609b43040d7a7426bda447c7e034a68de43a38c813e6511611f37f650791fd9880048e43778a0c061a992e962a3fb879ca25c1ba0edf02a3e21

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
45KB

MD5
a5d588772ef394866dbcf0e7ee197f97

SHA1
7321b2dbc05da85f4c1d3264cdf5157a65a50f1b

SHA256
4c7291709a6385f59c26fcad7c7b35cbffb9ffa564b18d45f1e7d5e7b519bd82

SHA512
b6bf7a040c2ac381a9b7bd8a458f35911eb41f5bb1b5e928f374e95a2cf2503a4015fc24c30d136edb40895b22e1c2e347d86f7e90f165a05d6e75384d38a752

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
45KB

MD5
82db6d1e5827516b847ca89492cd1687

SHA1
bffc46322ac954c3219ca75615f4af564d15bc1e

SHA256
65f10c3366ca1066cf40850816b2706a896474a77cc1723aacf353ed769fc5f7

SHA512
5235b7e73ddae201b9ac801a1b8293c31a6bc7d29089c6e26a6264b178ca56c0fd637346e2d7617562c437487c1fa10f092b982fb695fb4d6b5cc51a199612cb

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
45KB

MD5
830db806fb2f0dffff24ee3c1138440f

SHA1
9ae4397efe7df4501cc93242c1f561a5e9559d8f

SHA256
47ea88d7ce6a6c936168fd566a9f264139179ba1f1feeae5d2b7a2fe17a4cc40

SHA512
9951954505859d4df332b2bf5a71b2ddb92df44552c0fb2193a284ef310d852c49e53432acfecf990a84fc8f60119ffa17fbf9c0f745f5808969e52036ef3a61

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
45KB

MD5
2989c268180c5f67539389f4e0103732

SHA1
0a31eb3b3e7b4973f419f2fa03846f13862dfa2d

SHA256
091b9eee93f9e8d19988f889297f7603e519bcaa0b9cb5b577d86842bf578d95

SHA512
286b047f3b7998c4366b59ae177db033257e6be6a1166ed83d1e02d92ff7a66b5f93b4e40ef460c3f3dea279f07bd77b7230fd449315b77dd05d22bb6e58e0b4

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
45KB

MD5
53f24dbe17e585615bdba2bd99b3b2ec

SHA1
22f8655f3cd7688ab29ae882d0d587facc1772c0

SHA256
b5b6b381bc5de44fbf26570253ec07bf9f46b9f73a070c558cc9b65d5957a81a

SHA512
fb195a5eb956c78b73c71567ec6161756c23c6f068f8d585fd9c5cc80c3e493e2b2fcec307b67ad16e5b872fcc4b82d47e3d8bf8189d427e9429a7f55b1ddfca

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
45KB

MD5
dff0b0e3d05db21b7e0842273464be7e

SHA1
9f83b7f33d592972f5e42d9c87abe727fee909ee

SHA256
af5f89dc77ea4f9886795136c90b71f798d3e41a36b2c1c12d1960005eca7faf

SHA512
5d8cd5ce081612b99f1911fbe911468dca9a863f97823c38b04a12e0459e9c0506972daff3a5f42eee9421eec041c5ed1126ad3c21019a8098c6c0206e7b71c9

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
45KB

MD5
5aeda62fabe7e7655161484225e676f6

SHA1
7d1eb22aed0e3e95e19e8d88f1c8c5e698afd7a0

SHA256
9fc02b40ad11b14bf679fdc242bf2fa5cf23fa3c433d835297c783d16b681e7e

SHA512
05741a067a6ab4c39c0e482c1d892b00d612afc330fdbdc32b5018c40fb31e7b73146860ac739cc623656725843b3903250a1f9cd74fd7692e5968da7b899a04

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
45KB

MD5
453f44a0f65d75060c3ca9bf6f6af97c

SHA1
43af03a73c99274ed567dcb20a67da3546f3e306

SHA256
574ec7dd905b5f23ea7e55dba0aff90a7906a0c931b88b6cba2e0a515b96ff6a

SHA512
cb3177ad7e15210b31d4850d00da74e49f9ac18987430cef4e2a9b53e9ea9558c8ab53e7fed76f6f3bc0fc70a93fdf494e88845900a588707681d3a0f86539e8

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
45KB

MD5
e968585c70a5ce2d56ac48b09aff0648

SHA1
421597b73fa9be60be165a5a2ee2a2eea4839fd9

SHA256
8422c13c98bb28cdd02b282556f142141a3de1fc2f248b004d4c8db74de00f40

SHA512
883a47803e7698030c18af3994f06a02e5a2d426c09c0c1a35da3a442482549e6fbec1e79e1e287c580d5b9f89c6139be2d3d2e4e93d6c7dbb219f7a4c23e2a1

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
45KB

MD5
302be18ecca3f67070940497e31c77b0

SHA1
8334e0a234d9398542365dabe62e113ae33fae94

SHA256
1e47dcfc2a4e4c843bbb5a702841306094978ed1c6211a233cd69541e3771c91

SHA512
f8c23cf7e7d908bcfd470dcebbb4fd13b20b670d04ef6357e6e042ce4e32399bf17548506cd0a6ff99d26c02ccb8515b19d935cc564c595ad0276322ba88d76c

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
45KB

MD5
33f30c10776e3dd216ce0f61f1b73354

SHA1
e72a7765b0f3eb79d34c3784073249664315ee4a

SHA256
e49ad8a8e0c83fa7fb00f242be007086511acacb59b69ae6877bcad397420ce1

SHA512
3d9ae9492f59c38408284e1cf3f46979051ba5d6f56c47b6e52421ae0eb9d8d5d39faee1e07444ce3bc294752d6acdb2e06ce2c5394a3c8f2ae8125059a1f174

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
45KB

MD5
9427015afe67110e0f3f789fa0ffa506

SHA1
11a65dbe54d6b19acc70c0b532fa4a3345b0f46f

SHA256
5a6284bdce57fc52030a4252571c9cd4cb5a889bc3f64a920ed422d5faf0080c

SHA512
645d172d2dcd07fee6a1ad65a945fc39d0441f1e100f873edda45275df25df5a6cc1ef78249ed07bb3e5fd461083de0c20b25d4d0a8d5dc96a410eb6982455a7

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
45KB

MD5
6d7b7cc17534ebf1696c1422ba1eacd5

SHA1
3410aa608d27277bdb32a9a9c19271636593b837

SHA256
67863389e3665f88ed43a01ceb38b1dc07dc9dc749c1d45cab38a7cef1ca897c

SHA512
9c2dc86e5cae4d5ae4a93228f42acebe2733acf80abf268db60a993440eb0ec74b25697d14a9e4f2224f585487df0d51a9863071bb786d744baf7dafbee525d8

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
45KB

MD5
1873efc6584f5cfc50d272a04e1cbe85

SHA1
4709291d18402bec3286735d63d953fb99da7dd1

SHA256
1bcf9cf396ada7acc4336fbcecca30d477464b188bf9b9d67f8d6ab0368289ef

SHA512
bf64ea53b4f19dfe2a9de25e8690aeb2a2b75e8937357543f8614bd462c469db9307519eba37dec276ded021e97ccc769d0a86807c5b12beeb20f4ac3b912d5b

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
45KB

MD5
3de423108e37f4b63ac1ba39170cfd00

SHA1
3ab2b44316ec4e3ffe8bb8220b7953c39cbb5623

SHA256
c1c48930bfee3077bd81008949cedcd1b84322715cb10cb2c7a1bddffeba49cc

SHA512
f7a7534e48c7bc92b5bd1b75ba16b9c1fde09296498792b043cfcf2affa167c80509fc34738da9b9d2178f030aaf408504d35449d1e07d8de7c55ae6f0e49edd

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
45KB

MD5
2210f5c070d7a21a1557da6e0e89d2db

SHA1
6f7e1719dd6a4590dce9f42b978a930a3a457b5e

SHA256
c6f02fcba2ce7de73dbc81e9187f4b805274d080e128bcfc5f743b60ff9a4f7d

SHA512
31f4e6e3adb3c6d935db35d45ef8fc4d4c5f5d93971c6cb179d75985f072a5f4ebd5e1c7fca54276442d946952cefc69964d6e6d736f822c613e51a4d0a44ece

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
45KB

MD5
e40e6f10f1b00255f211c6fdf32955ae

SHA1
d5a401f4a46288c92f41a7ca957eb0abd40b1c2d

SHA256
896780362f727fab0b8483dde784a29596399341b464326ae59ddcdf082ae784

SHA512
f74c6544a0a08fc2a32868d74af72bc4eb27a3e3962960a7da792add7b4439ecf421afd2c483514e4d5fee15480f45a6fea3cc2120b6e7532035675576601818

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
45KB

MD5
4de10d67539b8498be09960a016d7e75

SHA1
a9dbee4abb1e299eea9d6ab848a7b904ec818655

SHA256
0dd2e5159dea991776a0714422a08311038caa68d14225334f60e80d1322c668

SHA512
ab1119e773f423c9d11a35f655eb29a52a7b3087acb425821bf0ecd4f74cbd4edab7052b411b340d9a75a08734c5c21600c3ae778b5e3b8071f7aede7945f9b5

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
45KB

MD5
48827764c9a55dddaebb6aef7f7b98ad

SHA1
2514012ba9e8dc0f46382c5724e4a2bd64d18411

SHA256
3413880e105a57aa329bf976b8827622871aff602623bfd21c9cbdcc3a6a8895

SHA512
4030e974fa7483a9a4e37d64700ff89b46d6d57ba6a329f89cc5feb7ecf69cd3bd06404ec83f61f66168d1f543a34de6c5c119625f21738afc9d598af037cf90

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
45KB

MD5
0de592e44ef5ba20e37ab0467539e620

SHA1
0f95d602d8cc796440b8e8fc8ddc653295d78852

SHA256
043b5c31439482890524b7357e888361930d3d09bf4e792a3e98071c563f22ab

SHA512
3dd74773db6404a7c03b38e8abb52dcd278963e27afe6a2fb0596a43cd44e0fc262196d784d076f45989e2469e62c9c3220b30349bb8275b40d7523ab7473046

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
45KB

MD5
95a3b9dc5c6343a543eee84a636afee8

SHA1
668d40dc053ab6912e81525b3ede023cb7420c84

SHA256
bab4c68c97f4aa552719d19673fefc855434af09574fdc81e8ceadbc2ab1019f

SHA512
71361008bb381f367b10668f1853cea05ddacbe8ecd87724b678e66c5375ed04202520f0cd2380a86955b94fc4ecfed102f1e78d7eebfbceb8d8b47bd8210016

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
45KB

MD5
ad4d2a3a4c43dcc5701b5a81f70a2040

SHA1
c7e8589adee4f32e2325e400a7fe3bfb22ebd4bd

SHA256
2bc7e976e26d4c74d73332d98dfced27280e7767ce718c24793ee7d394adb67c

SHA512
e4e657fe75df08d8136f96f51d0c289be4654b7a59d9f270e5fc7257c7e034c7376276b18f001c7083bf4f4610d1a759651aaf2863e202d7b9db2bc54bfac6cb

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
45KB

MD5
a77a10f55d57b0e297b29ac03d506d89

SHA1
4cb91d8da54b3a8969776cbf9d62fd12fee85dba

SHA256
ac45e44dbd48478b5d661afd40e4fa00d7652d0ab266346abb530dff1cd0f77d

SHA512
615c70bf4701239f7af413a351121cb9428a274232cc744f5252fe31dbbebf1d3a4eab6d9a262e5983742f516368196792fc6ddde803af6cac238e12338dee37

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
45KB

MD5
17967556738e6b6cd119a9941eb6b450

SHA1
f897f1046a9382758fd1cbf7f003915ee245ddcb

SHA256
e0004a233d8f7a2fccac37624e99f7b2127c965ff8f6fe94a53c722901d203f5

SHA512
569faee005f4a3819590cbd0f20789516a5501667fe3055f7c0eb092ecf39c0ae98093ff26a6a3490cd6ec8beea28f4855fb8cb8e7323599551c2a0bff887cf7

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
45KB

MD5
c996ec2b39d492db91a74616d9c9a583

SHA1
9b0f18c1e1c3777e5ccb77c8773d54b73958902c

SHA256
ed67f1532ef836709801c5855587a68682cf41fd481ece83f335f694c953b97e

SHA512
669a3e0309f7dcf9b73dec9184091608dec46651196c9fe2295765cc04136cfbc2d0bebeb7c2f0d50842f6c9b9346e07f79799419781b9f76f139722909903b0

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
45KB

MD5
2c83803d457581636e4e0798fc63d34d

SHA1
984d4e1d1473b85c9e8d64053331e75e84404a99

SHA256
56b85b31c6a34653b54713c391f3576df46177c8c18370f43508fa731acebbb4

SHA512
732b5887381280ae3cf1183a614056b66323d3630a8cfe28fdbd820c4a8ba4edd58bd55ad5564419aa42c2f98546761c9966986c66ee1a495f40da2b7282fba6

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
45KB

MD5
daa829fd93a6ff8c26d30f3f02331783

SHA1
48e76330f62c2d4cd2392a85fb270e67b740f83c

SHA256
f33190ae8ee9fcdd6ccc45ad48074635c7a758e1301187906032c05bad422651

SHA512
76911b9d9af981220a20ce91dbf689e4f389936050fa1948fda87f5b232a573ea0459b9770284a4f5ffff589d3d5f1f465949117868044090b35e1c5d2c217af

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
45KB

MD5
ac4ef27ca2579d84fadb6fed8cf4df54

SHA1
8a79eb12fd748e08c3159d7ee5d5355000cea928

SHA256
a7976e2391bd04429647030812ab3b8545c8d92fa34423387035398e985bd003

SHA512
2b8b4989d5a2dbd822c8cf75d7aafd978319b124ae5c688a00c46f013a88e75a389fd568b614ff49a4fbd4b467329e19546aa70851bdb2ae291fe697f05ee03a

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
45KB

MD5
e7bbc869fb6c2c91e198695ee7b7fcf4

SHA1
2778108616d62774b48dccc8d7ef6cbc607301cf

SHA256
5d43730201403a050898eb3d5f1666794bcb434c09dd98ee9a10fdcc50e0a32c

SHA512
0802babe6166a6f0b0e8ccda90e15f7468c1d7da72768089474c71d0db2f01e3e8f5f6e42a8ef0df93d7bc477cfaefcd453b8a2a27e5705e1869cebb38e43584

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
45KB

MD5
a19fb686b6cc58bd3e46993309aaa81d

SHA1
fcd31f6e9dcee2819c27747ad13c54d351871b5d

SHA256
1953c0a3123cba41ab5454b65f020a8b5c5a38e804e5cd0c243378799dd897ea

SHA512
3acf8581949b02698c879a920d915f42d8f090364281ccf137039075694355c1c54211b12aa866f178910bd6714bcdceaf2477b20be60c9def5af53f923dbfde

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
45KB

MD5
187c7d28e4fc4d407cf18b4f9d2d590f

SHA1
fa3715602e2e87e457d578e5f8f96de601dc8a1b

SHA256
ddf0acf7083923ca5883d3c8aa26c4fcf3befdb1e319110afd9ecd0b29df2a23

SHA512
4d902e2f7082af02092012b79d203f669dfa6d613844efc9ded4de229fac79e00f1ec734f6c3460213c3ccc2768f4f65b224646dad35cbe896318c0b62f82cd8

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
45KB

MD5
9698f91cce5caedeed24e9b33b39e5ee

SHA1
5182cf6b2160d86dbaf4016bba051bb38bed5b70

SHA256
3c6d25194f120806c308195cbb86653fb01bec107b33a3848d01036a03559dbb

SHA512
cefcc918d94570c771c5a1d591d722bfedcf68a27723fc854c35ffe2e6e099a43db817a6201cbc4060d05d6751405e7a83764f773215d88dd3c9cb1a25fb0a14

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
45KB

MD5
6cde2855fafdc150a67716b1d7f3ae4a

SHA1
70a90208f8ce55ae6a27386191e077cefb1eab94

SHA256
26e5a434d7609439fdbc051b03ed0bcd6d567dc7b03a54d56276b7fe084baa7c

SHA512
b74c380bcb0a1c0f4fa53a7c8500fa1c247307d74633436e566d70fb585cb03cfc62c8a78cfbdec0b4d077133477aa3fd14977d240fb41617bd445f0ba2b7e24

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
45KB

MD5
3ac55e27a4f3b2c3bab06bd5bd94b361

SHA1
7dc4e09b486bb9c2f9217efacc5a94a8f5d89670

SHA256
83058502cac84439e85936a06f8aa436ec42242c3c82b34f103aaec0e0251a45

SHA512
329155b28f0f71899cd34b529d325ac0ad15968e7f82fc7d6f52e93931eeabe91266bc99641300d5c6e4abc06edd996129c17a2ab3c8bcb2d3275286db258c3d

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
45KB

MD5
0fe00739278c65a1eff80eda77c233b3

SHA1
b2771f3af7b83ecc960102aeb22dcef8fb97f94a

SHA256
d403f907bbcefbea2b494dca98cf928f6c0160946d5d1d8fc9f4cf16f35c88cb

SHA512
36ce1bbe926df1035846c59b1df58ef5faf8dcd0f1fd804c294371332ee13ccee64073112f56777d67dc33d422950e6bb893526eab2c3b2da89921ff2196e57a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
45KB

MD5
869faa68a464d1d6360e35968cb39f72

SHA1
b660dfdaa6d5d72da0e6f070c52cf744341d1579

SHA256
75974b9bdf7def4ef02d8540cef77832bdf0395ef5bb89c824752a9776662ba4

SHA512
9a18804700534ef14dac45579d9cb620531c4d48b88a5f946ac0116664ea72841560ee5c15b940f250939bef4cc24cd87670fe13e240c192ef9857132a1525c8

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
45KB

MD5
417e677e4c48edb4c45270541ef4b411

SHA1
30d92c7886e0eb5cbf3d36b83c8720223f93dc2a

SHA256
60ae8620909c24963e7d0ddb139ff725d728e12778f7a41ffc676fa93e2a03f9

SHA512
34ab0dfb84459d2d5a2c4b065d9e792c5831d21f65f968dc648bf5bb686aa394252e2ea5638a45974dfd5ed38f52f667b88ba2bb9e4ed03f7cb50d3a13b9a1fb

Download Submit
memory/228-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/716-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-647-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1280-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1544-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-534-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads