berbew | a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
Size

92KB
MD5

7c33e084cb3a78ade890c2c63c599a3e
SHA1

6e22b9bd7ef5a71784016ddbeb96af27d0db42bc
SHA256

a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae
SHA512

ddae752f0e58408ef8ebfd4556e5179e409429a5a7da78c4c97debd174240d1010313eb560cb3c7454f225c587be49cb804cf8fe5445f04bfbc99aaf12f61d89
SSDEEP

1536:SFkzPHELSIoZjoi6vfK3rFc4sTClYBG3QYD3Q55+O6iE1A:EfLAZjoicSbNsTCK8Qr5+ViKA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1832	Mcmabg32.exe
4312	Migjoaaf.exe
760	Mpablkhc.exe
4140	Menjdbgj.exe
2384	Nepgjaeg.exe
4940	Nngokoej.exe
1496	Nebdoa32.exe
2716	Nphhmj32.exe
3960	Neeqea32.exe
3676	Ncianepl.exe
4776	Nlaegk32.exe
2540	Ojoign32.exe
1536	Oddmdf32.exe
1388	Ojaelm32.exe
1716	Pdfjifjo.exe
4936	Pmannhhj.exe
3308	Pggbkagp.exe
1868	Pjeoglgc.exe
2296	Pqpgdfnp.exe
4820	Pjhlml32.exe
1180	Pqbdjfln.exe
1856	Pmidog32.exe
3944	Pcbmka32.exe
1576	Pjmehkqk.exe
2660	Qgqeappe.exe
1112	Qfcfml32.exe
4076	Qddfkd32.exe
1712	Anmjcieo.exe
3488	Adgbpc32.exe
5048	Ajckij32.exe
2196	Aeiofcji.exe
3348	Ajfhnjhq.exe
1276	Aqppkd32.exe
4084	Afmhck32.exe
2556	Aabmqd32.exe
4560	Acqimo32.exe
1956	Afoeiklb.exe
4584	Aadifclh.exe
4512	Agoabn32.exe
1948	Bnhjohkb.exe
2688	Bcebhoii.exe
1800	Bjokdipf.exe
4972	Bmngqdpj.exe
4128	Bchomn32.exe
2732	Bnmcjg32.exe
1068	Bcjlcn32.exe
5016	Bfhhoi32.exe
3868	Banllbdn.exe
2680	Bfkedibe.exe
4516	Bmemac32.exe
868	Bcoenmao.exe
4228	Cndikf32.exe
3728	Cabfga32.exe
4180	Cfpnph32.exe
3324	Caebma32.exe
2460	Cfbkeh32.exe
2908	Cmlcbbcj.exe
2164	Chagok32.exe
5040	Cmnpgb32.exe
2236	Chcddk32.exe
3788	Calhnpgn.exe
2496	Ddjejl32.exe
5000	Dopigd32.exe
3632	Ddmaok32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3512	4844	WerFault.exe	159

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1832	2652	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe	85
PID 2652 wrote to memory of 1832	2652	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe	85
PID 2652 wrote to memory of 1832	2652	a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe	85
PID 1832 wrote to memory of 4312	1832	Mcmabg32.exe	86
PID 1832 wrote to memory of 4312	1832	Mcmabg32.exe	86
PID 1832 wrote to memory of 4312	1832	Mcmabg32.exe	86
PID 4312 wrote to memory of 760	4312	Migjoaaf.exe	87
PID 4312 wrote to memory of 760	4312	Migjoaaf.exe	87
PID 4312 wrote to memory of 760	4312	Migjoaaf.exe	87
PID 760 wrote to memory of 4140	760	Mpablkhc.exe	88
PID 760 wrote to memory of 4140	760	Mpablkhc.exe	88
PID 760 wrote to memory of 4140	760	Mpablkhc.exe	88
PID 4140 wrote to memory of 2384	4140	Menjdbgj.exe	89
PID 4140 wrote to memory of 2384	4140	Menjdbgj.exe	89
PID 4140 wrote to memory of 2384	4140	Menjdbgj.exe	89
PID 2384 wrote to memory of 4940	2384	Nepgjaeg.exe	90
PID 2384 wrote to memory of 4940	2384	Nepgjaeg.exe	90
PID 2384 wrote to memory of 4940	2384	Nepgjaeg.exe	90
PID 4940 wrote to memory of 1496	4940	Nngokoej.exe	91
PID 4940 wrote to memory of 1496	4940	Nngokoej.exe	91
PID 4940 wrote to memory of 1496	4940	Nngokoej.exe	91
PID 1496 wrote to memory of 2716	1496	Nebdoa32.exe	93
PID 1496 wrote to memory of 2716	1496	Nebdoa32.exe	93
PID 1496 wrote to memory of 2716	1496	Nebdoa32.exe	93
PID 2716 wrote to memory of 3960	2716	Nphhmj32.exe	94
PID 2716 wrote to memory of 3960	2716	Nphhmj32.exe	94
PID 2716 wrote to memory of 3960	2716	Nphhmj32.exe	94
PID 3960 wrote to memory of 3676	3960	Neeqea32.exe	95
PID 3960 wrote to memory of 3676	3960	Neeqea32.exe	95
PID 3960 wrote to memory of 3676	3960	Neeqea32.exe	95
PID 3676 wrote to memory of 4776	3676	Ncianepl.exe	96
PID 3676 wrote to memory of 4776	3676	Ncianepl.exe	96
PID 3676 wrote to memory of 4776	3676	Ncianepl.exe	96
PID 4776 wrote to memory of 2540	4776	Nlaegk32.exe	97
PID 4776 wrote to memory of 2540	4776	Nlaegk32.exe	97
PID 4776 wrote to memory of 2540	4776	Nlaegk32.exe	97
PID 2540 wrote to memory of 1536	2540	Ojoign32.exe	98
PID 2540 wrote to memory of 1536	2540	Ojoign32.exe	98
PID 2540 wrote to memory of 1536	2540	Ojoign32.exe	98
PID 1536 wrote to memory of 1388	1536	Oddmdf32.exe	99
PID 1536 wrote to memory of 1388	1536	Oddmdf32.exe	99
PID 1536 wrote to memory of 1388	1536	Oddmdf32.exe	99
PID 1388 wrote to memory of 1716	1388	Ojaelm32.exe	100
PID 1388 wrote to memory of 1716	1388	Ojaelm32.exe	100
PID 1388 wrote to memory of 1716	1388	Ojaelm32.exe	100
PID 1716 wrote to memory of 4936	1716	Pdfjifjo.exe	101
PID 1716 wrote to memory of 4936	1716	Pdfjifjo.exe	101
PID 1716 wrote to memory of 4936	1716	Pdfjifjo.exe	101
PID 4936 wrote to memory of 3308	4936	Pmannhhj.exe	102
PID 4936 wrote to memory of 3308	4936	Pmannhhj.exe	102
PID 4936 wrote to memory of 3308	4936	Pmannhhj.exe	102
PID 3308 wrote to memory of 1868	3308	Pggbkagp.exe	103
PID 3308 wrote to memory of 1868	3308	Pggbkagp.exe	103
PID 3308 wrote to memory of 1868	3308	Pggbkagp.exe	103
PID 1868 wrote to memory of 2296	1868	Pjeoglgc.exe	104
PID 1868 wrote to memory of 2296	1868	Pjeoglgc.exe	104
PID 1868 wrote to memory of 2296	1868	Pjeoglgc.exe	104
PID 2296 wrote to memory of 4820	2296	Pqpgdfnp.exe	105
PID 2296 wrote to memory of 4820	2296	Pqpgdfnp.exe	105
PID 2296 wrote to memory of 4820	2296	Pqpgdfnp.exe	105
PID 4820 wrote to memory of 1180	4820	Pjhlml32.exe	106
PID 4820 wrote to memory of 1180	4820	Pjhlml32.exe	106
PID 4820 wrote to memory of 1180	4820	Pjhlml32.exe	106
PID 1180 wrote to memory of 1856	1180	Pqbdjfln.exe	107

C:\Users\Admin\AppData\Local\Temp\a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe
"C:\Users\Admin\AppData\Local\Temp\a32ad4fa45328a7cda380c7284ecdaac7534edae568212b29b0808b6cc1742ae.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\Mcmabg32.exe
  C:\Windows\system32\Mcmabg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\Migjoaaf.exe
    C:\Windows\system32\Migjoaaf.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\Mpablkhc.exe
      C:\Windows\system32\Mpablkhc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        75⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 400
        76⤵
        Program crash
        
        PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4844 -ip 4844
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
92KB

MD5
077a6430c8cdebd4fcaa4c03d1af3c57

SHA1
f842c829244707edbaa497b9aca757848045758e

SHA256
2284c29330bed6bbea38283611ca7d494c03e5cfd1e169776b05c96ae4804a68

SHA512
8bc8ad9af1ec51b4ac84670c54fa556302bc3251a19438908f7677f5ca1f2c3259ac32d0232a7c9c70f4dcccb33498bc9954ad398238a3385f051cbb494d3cb0

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
92KB

MD5
701437682aa2877cec87c877da9c555d

SHA1
8a1ce5c33ffe3144c974113147e15ab5d5bc709f

SHA256
0f09b1841074e89e424fa7eb9674ef4ec195af83a0fdb73b6c4cf827b19fbd8a

SHA512
cce4a39504232e1900c29402876c71a742dcb41a8454f6ed4e5dbed361501aacfa6138f1621cc106dd2935a608d696325bc0baf039434d10e6144774c0602a4a

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
92KB

MD5
3a5b9df8b1cbca0669518972bf719394

SHA1
a4a78b313cf548822742c334bb5d63be724734e0

SHA256
f946e15057b0a53509ec510abf0a6fbc86525a62bf59f39eca23c5f30ee28b2a

SHA512
f37da3cf3cc51c90e11711c45c793853abd2f35c970f0feb0f157a53430097c86c91b7e9652d65666655225dee3b00f2bd2c488326e2780de1ffdaaddc5257c1

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
92KB

MD5
bc8c2e520906f7415e1ee33f3a04f3fd

SHA1
f4328adacd0394b0b267a489e083e57fd5b7970d

SHA256
2dd8fb59e767e68e16d8c9acffe9f3d9c603cb546a1b933f08c2f652f6e91fc8

SHA512
7ac40ed179b850e98fc4d836bab60a2e08a608d580d5f33a585985d7facd645ceb46b700b392f8f32a019748d84c1e2833ee55092b01bdfda69c77123f1d3b5f

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
92KB

MD5
ed44f13ecadf062fe46b131f8542ac20

SHA1
9666917d9f58fcdab6267e596fd43303b510120f

SHA256
b28f41331f4f9ab541ea20546b7e11e8c4d44a402cef0e9c691e81461f09394d

SHA512
9d23bed99b0455a49c41058a4e156d622d57b97577f42ea3ea2f1e0e7cedd542830064a3fc1920c88832dc16a29418d79f5e6864ddfe32db87a6562b86bc5c01

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
92KB

MD5
52984aca9b5b36d8b7087b77455e6c3b

SHA1
310d7046a345b8ddbeff55f960962424488be248

SHA256
bda0e103b43112cca31fd7cd96d3e43d38569cbf7ce3ed658b10e42df14994df

SHA512
e687bd8cc59b949cc669b22419103224aecd83a3b4b8d70198291bc95395e319e53d97586c345cd44803b2645dca5220744b18650178efd5bc157228cf571fb0

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
92KB

MD5
bb8d94613875a3d2589fb1a4f03ad5c4

SHA1
de0f155dbb046f3f0110d75506a768467aa87cc9

SHA256
3fbd8553025a8a1bab096c4e51f794faa31ffebb0a88f1307f6f1957f2b2db7a

SHA512
af8b31bf8d52f6e8d635bfd09270f2dc9a5733435600e2ca391fc6f61936460d08d49f229fbc0f1b8a845fefbe93004e6565cea2d9072d108750bb5986eb3c3c

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
92KB

MD5
9ab38d1f10399c0f9005e04d114f973a

SHA1
f7e478a77f6e9e5b77779dc8c4c0c2697b02f085

SHA256
ea456c97527f56b3437f5e479c03a37e7635817e9248d37cf1b69c7d715a45c6

SHA512
e922c4e9fc1826a4d222850ec9c8f8f88ce773a694c3056b30ec5bad3abf994404d5901b3ed1702d1d0e833bcbf4e95a01f6023f97513364a339122070518498

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
92KB

MD5
147f87cf268f90b304501f1669d604fa

SHA1
95867bb5a388694a59add913820a03c8ac57428c

SHA256
f57ff85f7e317ec5e40484aa72723ce7b50ad49b41befe98cd3a483e9995de42

SHA512
c55ef2d45fd66d171ba0fa1e9992e0d63471824256fadd7f02b144586d6afca42296e7077f7a2da895be20de84001e5d3c42a7da1b1d5df0bd385ae360420cd1

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
92KB

MD5
d0bac7114b5c7ade9df92515e8cf5d1d

SHA1
a4ae027b412c8389f5b0fc02632b6cad3fff3656

SHA256
62a45d510181651e37de3689b61ee483bfb6660540ea15cc0c7e0230bb6c30d5

SHA512
33c43f8dbf87c500e024f84caadbb61cc4ee10620dfc6de357279b341b33a98e0781533a183ad8699582bed41262950a44e4fb5f9bebcaec670fd19fe8ed3bfa

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
92KB

MD5
d231b9fe697a7ef2cc32416386697b2e

SHA1
48b92dc06001ec307b88c064883af438fe2e8843

SHA256
1fe5e3c1699ce0dc3136e8c7706d6a78936bfb922b3391c9bd7c387d43f470f4

SHA512
3e86c9d06a696d2f1558399616483386b98e1c484dcb7bbc3b5e6caaf1b7f000a74bd500a2f74d3fe4563dab1ae1bfe2f121c383f38b1b2384520db6a3f46a6a

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
92KB

MD5
d521ed3f27931c075100dce43a7bdaa3

SHA1
d931a35e5e5901f01028613e8b6728fd354c35f3

SHA256
e975f1c435eb76c7bb1948c84aa9904f84994dbdbb451fcbd34d78503db61b30

SHA512
9fda718f867ea6abf3344bd69b0a44f31110d069f103759f15846baa133a393851267d678fd8466abc48bfcf15ba1f051927dbb7b0994602d1c5f8d515e00a8c

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
92KB

MD5
f83953f705bbfc1d2ec26f2e1fba3fd0

SHA1
1db3dd2d6a28399ebcbcad506d3f232fed72e118

SHA256
7483b8fbf5c721c18a32423e6474507855fd1e7fb48e2fcd63a5bd95fea04bd7

SHA512
60a64cb9abb11cc3db8872828238d6190eaccba9e9aa784af44113627c99fc6783838dd9ba6538dfb965154292d6f73b6a06469ccb61750a10c150ef5a66b883

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
92KB

MD5
c047a8d4e51cebdb2747213fdf7720b7

SHA1
ec6fc622d556a1fc0b07b1431fe7aa289fba8774

SHA256
7c5eadcb8c277445d84604f60725c7bc27d3140822253e0e415d4219460159a0

SHA512
438d1185c0a252259062bdd82889f84d3bf927fb895afe61a51109f407ca94a307560d1d7d2aab009712d1d010c1d04c742bf3fb495fea38463ff73eb3aaa83e

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
92KB

MD5
8c0189427f3321afdbb7ab1be886af0e

SHA1
9ecb9e1ecc77bef91468d5e2fe66cc7df65aa276

SHA256
4a3b5ecde820177d7d9d1d927d034ce8c2f0ae9def9e9062d781001f85bd6209

SHA512
88da67658303043157df79b816ade143f4756213411d325935b6c0ab110626c18d9150538182a5c28a313553eef7bd0b41af19217724f828544cd2e30a6f76da

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
92KB

MD5
6f019f72cdab9fdd74ca0c0473a9d219

SHA1
33837047d2117c6d659642e4f3fe970949c378dc

SHA256
d18abfdcc668f626e6415480d911be317f88a1f3a755359e036c115ced88d1f6

SHA512
0f38419ab3ea8d163d7448988d164ee3d9c2e9e67d0671f2a973c808504848258f9d695dd1a97a38248c3ff0dc82b8ce8b0d79248da3550463db01080e1cb3d4

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
92KB

MD5
4d5534c8dc1c0c5d820750d1986a5a6a

SHA1
f64aa9edebafb16ea276a340e8e5639248085fc6

SHA256
552caa325101305739ce2e8f1bf79439e1d05cdc62916c3b01f71f3fb10f008d

SHA512
5002bed4f79ae98c87f26b00703ae5c1934eaa9b3a3fda3b527cfccddea51e973ae062d4706ee103f0892ebc2dccb29d3885bce0c6bb66d465d3571b9fde68e1

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
92KB

MD5
c22b4432dc019b25832ff5cb78a8291b

SHA1
f4c4b98fd9e18720752751d62a0d76e5e68441d1

SHA256
35d521025af408edccdcb988623745da25ef7b0152637a0cb7a48790d377bfc1

SHA512
3983741d5c7c8eb7dd3d92b288b2d0fb9acf0f441d41e8f331d32a6c1f627453018443f02e6f5c9847a431bedbddbe3e4440857c7dcb7a3c5e2565f20e9fa294

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
92KB

MD5
528fb639701c4763f5095799cfb0406a

SHA1
17e1222d99ca7f447394777e1d20b8399b4d0d78

SHA256
0c3e63d26c00e2138d03e12515f291de5de08508df2f3425222b31306b9304bb

SHA512
b415cea01ede4cf66961db86e07ba0910089904985abf638738fb28493a1aad5f92ad353209c83662a49ca135fd20eeaac70e4e57cdeab977e3831184e0594f5

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
92KB

MD5
f93f7edcf125b6bd663f4c400dbfb03f

SHA1
b263223018c076b2e5f2a35902b32d18b38e078d

SHA256
0d0ac3a2c7f248d803c3de6b90f867b44636e79bfd53aa8fcc1ae48a7e60888b

SHA512
fe6b71c655141a0a561c10833320bfb3af1b69c8ff995010099ae98c0d60aeadaddcb41780a3fb7574e869a08a779a934eb3e6a63f4e3f6f63ece204b8ef251b

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
92KB

MD5
75b81bada03022c9e9a7484b553923b5

SHA1
a05fa03c201b5f7193b30062f1091cb5efd28987

SHA256
cb3e470f89e250d86622881279ce8dc595de9bb993e1c41f2634433c7e7fe530

SHA512
807c705cc4d4d55baae3204955866f8440641d0f613a2142a08cbd9d9600a3e8a2226a20982afeef631a7aaf5e88befdd2cb0b2d4fba6b921fe3a9d293c43b59

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
92KB

MD5
b905617651a2bfe549da510b022684e6

SHA1
6ff176f757763f6a93d2f783ca31c39a276070d7

SHA256
abf8e6e5c9f297ed66af0c4cc2f4193882bb10e203b9ef80aaa6978af2f84431

SHA512
2853e70ad1eae1e0d70301ff1f47a087932717d2cbfc354a2023b0fb742e957686dbb616a7f15dc52f10426efdc1847ee47d5a98c57d5598ad4b73605ce02799

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
92KB

MD5
4b6580ee24551512814553d8228ae82e

SHA1
a229c562015828d748edf8a0eddac73fc17a14c2

SHA256
9fc6bf525d79ba0aaaa6a5e07846ad175cb1c266dc90f6cc76333276f980a0a8

SHA512
c12dc28e192aa9934e4a07869d08aabaa044f5422d7c6e5135331f55c2a70c21d0bb96e43e53135fccadd216b16b88b266ba904afc43a8eb359e906c89b27b1d

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
92KB

MD5
321c67816f9809a775bc1fd0bbc82c84

SHA1
126e5211220022c3f1f9587b497eb6ea181b678a

SHA256
2cb281599b2d85ea133fb528dfc69be1f991e14c7fd0c0c0b5da08d685656f1d

SHA512
2724247e41de42e471bc631e3add863800337e560d23735fb138b8f97ec6df05927ce7f70af2ee855085b6442ed8b016bedde071776b44f6373c865779bc5dce

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
92KB

MD5
14763ff893212c9e41d1af1dd3ffd8cc

SHA1
688294e575e5f05252cf8d41a7de8aa2c1902f7a

SHA256
d67e26c79a81de74c85d1663ec6ae98df7c5765688bcbc8e29a4ec7571553ad8

SHA512
70cd6aa9f07c114732a5e1e5f9f031bedb59f8fcce08a7ee889aa44e6316386e4447d91422fed4d6970102f280f05f9d22eba2854048f844eb48c50c1f21392f

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
92KB

MD5
cf61136fefcb4bd452bbf4e6561e2acb

SHA1
4a143d1c011e5831d9189eea0a6d89da313540d7

SHA256
18bcb085c6ccb92a7641ba30b2a912f7d784d4ab46cc802117472e12e18997eb

SHA512
0278e02819b9942f22c2936e692c13c51728af174ff8ab299b5875e14b2ecd52a051bbcb9c8636e7006eabd337822227548fc44284774d984a424d9368fc1fa8

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
92KB

MD5
cc89e770bafbe3b26480986d824f9dab

SHA1
b729d45aaa8becc8a7d676614b25e56e2dd88678

SHA256
edeafae7acf26dfd174b2feab088ce5b6fd55eff81992d85c04fa8c65c1e15e7

SHA512
d4d0f34309838ba06f25b780edea20bd184758b61a27e8a1d6f99f291770d574ffff20587f958e392b1fd9ef23239e8afe418c74a794151d42809d18c298c3d8

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
92KB

MD5
0f3bf19f0d7b5dc93f40cd173fa84f29

SHA1
33d88aa8b854925f9895e14af8e923b5c23e21f0

SHA256
b6b405c7023d99b3589a3b78c97f32fb45cadafebd831446141a2edca3ad4940

SHA512
5b8dc59292e69e51dfdbfc98b8b83ec7e052f974b2ba42655e26272e07793862293ef850188c80694b20f3e0109f8d434529f23a4bc39d2f10b4d20aeeabe7c8

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
92KB

MD5
342d7c06a2534706553ed4e0f2c6170f

SHA1
936fd0db1c1486ba308c0303b8632bad5313cc41

SHA256
b30bd530f0cc6bd35674d23762653e6b4d686dc4c1335786a9f7d62d80948884

SHA512
be9236d36e44cd2e145338dbd35eb1ac68a8f0cde32db7705d613607be4516704a15539050d9080a67e9d7d551bf17ccc29d405748b66ab399a0b35eda893e3c

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
92KB

MD5
4b811ecdc92b02e41546af05457f5167

SHA1
b8a4d4741a63f529f44ee7972fafdd24b0b5a74a

SHA256
582b8c8baa88747bf57ba199a13a214d72971159169032b771d3c97302edd356

SHA512
ec44f12dfb801cf8866ed3d48bd501e7eac978b4d24a934850e14b1ebbba4b4f549f8d4e6de124b6d5b604e1e22dbd814fcd9afce195b8570f7f1113aa65fa38

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
92KB

MD5
052a6326a91531cc93d599ca0abb9479

SHA1
9ca9190f247f81c469bc39d49db69681c9d61de4

SHA256
8e8831b96833c0a485099657e5f28e31d39863aafc8eda5369360729d72a987b

SHA512
f0db5eaa1948d03c62296f20052e6e59d0e09c509b044633ea64be753e4f99a656f71c0446bd4d90a3d6092ec9ebf292c65ec1b3483f40cdc84463b98f6f9c20

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
92KB

MD5
31d9af255dae1021f0f42c7f4e2a8c93

SHA1
b906693b75f91b96fe2452e04a6d0214df2f2e82

SHA256
a369936e9a762d93ff6d9515f8239a2f9df000706e61cb11b4958ceef4e50e1b

SHA512
1ea28f4388d4c0a24fea7faed391773659f485c7eb5324206d8c273d3c56556445bee5c3574e117feefb704d8d69e3a8aa761f018ebf8752cde2e41f104de7e8

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
92KB

MD5
19c0474ce7107cb0a3c4818a42dd6e61

SHA1
1aaeaa6c6f000be21505fd638a3db0c3b2ffd3af

SHA256
5226ec6f5c6a40aac251b4e7f12bae2b1c84d7e747acfc1689f6a43743c10ea9

SHA512
945aa56ba286d7984f3fd9d5608d8e6388b8fa98ecf2c4fe53816bbbc3ad685391bbf61353459dc204c7c4d5d946d70262688f4f20e0671c60ad1e744b00ef89

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
92KB

MD5
3427db1efa8cd74e32fd3656eb09d632

SHA1
246489df16d3b5f1dd70226300aa661cfd313aef

SHA256
a3496697e0af800ea39a29230d06147e95eb8bd293a8fc6c6e9877d983931ff9

SHA512
da642f38456afcfd9945b6d24ed2dfbc88170179390c051830c72523677f254a7e6a3ec2389391fa61802b1e160fba7737c5d487bf796ffed48d820ed2484029

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
92KB

MD5
7d7bf996d23fb21337d1fe31a09d19d4

SHA1
b9cfa89227a4088afa28006b5cc6a7741878e404

SHA256
6a2b6ce8dfa9c3d6718834db6070839c869a718269192aea6a45bc312b24aea7

SHA512
09087a4adfe83769d2239d350e8cce3eb2939b95eef3fd025ef39812288fd1b7e712a35b7994417a771faa416421c127fceb524d5dccb6b1dfc6b77fc5682537

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
92KB

MD5
3048daa867d1c3d4ffc76e6c9cc141c3

SHA1
c77ef7b59d3ead50a003bc6f6e3c9e904be25d83

SHA256
785380880cd49645b6b549442fa2b4ba2c8375e2e207871e277967ecd7b2db93

SHA512
d7c341ece3160ae6584edb1f1c846671581aa72e37a32ca35f93541ea957f3201fc6d548c0c2975ad5bcb127666c6ca40f437b15f042ae80fb1a3993e28318aa

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
92KB

MD5
e7cd4da3152ff9564631b9e4e4239bbb

SHA1
773756432145a294138b4ca997deef1989d73c20

SHA256
666213f72f85a884935596551c119a6e764630d987331ecf8803f71887cef1a4

SHA512
cf03f3507b2ab8e5f5bd9843c00662fbee675ad39230d56bfe72a157858b6fb269519acfed27b296ac66b5992df84ad3eea0b6f797ce0c5b2738d35802ffa1ea

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
92KB

MD5
132bc72e3611598b643e25222670af36

SHA1
1582c622f1806be8983c495f2716dbec7c1be7b0

SHA256
aa7802d427388113ccd41ee2e0b81676600e37ddecedfdf643201aca00231472

SHA512
1006b6367fc73fa75b2ce3daf81a2796f78108122124f3742cf8d2884a872b46473c3eb093e695e9fdcfdba3f4d07376dd9ad6abe0576766de22c144d0e11d32

Download Submit
memory/760-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1136-512-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1136-456-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1180-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1276-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1496-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1536-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1716-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1800-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1856-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2164-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2164-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-462-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-511-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2196-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-426-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-516-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2296-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-468-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-510-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2660-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2688-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2732-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-519-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-408-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-498-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-506-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3324-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3324-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3348-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3460-492-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3460-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3488-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3676-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-523-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3788-515-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3788-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3868-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3960-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4076-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4084-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4140-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4180-522-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4180-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4228-524-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4228-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-486-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4512-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-480-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4560-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4820-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-505-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-504-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4940-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-517-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5092-474-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads