berbew | f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b

Analysis

max time kernel
94s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe
Size

55KB
MD5

deb98316d52ae060c6e2827de4b800dd
SHA1

d800a6ccb0f2073ca02435d24fdb36f29c63b267
SHA256

f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b
SHA512

6067f59ce3d6db1dea2d3f225c8e2fc9e338dd27ee4e55b52584608d9b384ca2b7641f640b1f30a2698a20e82a69f89282ed612d3f98b1e594bfb3a02b1991b1
SSDEEP

1536:6Ss5ciyr2/v9skn/m+KNSoNSd0A3shxD6:6Soy6/v+kn+dNXNW0A8hh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1276	Pflplnlg.exe
1700	Pmfhig32.exe
4932	Pqbdjfln.exe
4568	Pgllfp32.exe
4204	Pjjhbl32.exe
2344	Pmidog32.exe
1328	Pcbmka32.exe
1432	Pjmehkqk.exe
828	Qnhahj32.exe
3268	Qqfmde32.exe
4156	Qceiaa32.exe
2016	Qnjnnj32.exe
3380	Qmmnjfnl.exe
2880	Qcgffqei.exe
1656	Ajanck32.exe
4928	Ampkof32.exe
4360	Acjclpcf.exe
2248	Ageolo32.exe
2008	Afhohlbj.exe
404	Anogiicl.exe
4500	Ambgef32.exe
2964	Aqncedbp.exe
1192	Agglboim.exe
396	Afjlnk32.exe
1512	Anadoi32.exe
3480	Aqppkd32.exe
4720	Agjhgngj.exe
2712	Ajhddjfn.exe
1048	Aabmqd32.exe
3044	Aeniabfd.exe
1424	Aglemn32.exe
1644	Anfmjhmd.exe
2952	Aminee32.exe
4896	Aepefb32.exe
4432	Agoabn32.exe
2064	Bjmnoi32.exe
1808	Bagflcje.exe
2524	Bebblb32.exe
2320	Bganhm32.exe
656	Bjokdipf.exe
2180	Bmngqdpj.exe
3444	Bffkij32.exe
4844	Beglgani.exe
428	Bfhhoi32.exe
2164	Bmbplc32.exe
2996	Beihma32.exe
4872	Bapiabak.exe
2820	Chjaol32.exe
4588	Cabfga32.exe
1976	Cfpnph32.exe
4988	Ceqnmpfo.exe
4984	Cdcoim32.exe
1348	Cfbkeh32.exe
5064	Cjmgfgdf.exe
2764	Cmlcbbcj.exe
884	Cagobalc.exe
4680	Cdfkolkf.exe
2224	Cfdhkhjj.exe
4764	Cajlhqjp.exe
3156	Cffdpghg.exe
640	Cnnlaehj.exe
872	Dopigd32.exe
1968	Dhhnpjmh.exe
2356	Dobfld32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ambgef32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4596	2024	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 1276	2640	f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe	82
PID 2640 wrote to memory of 1276	2640	f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe	82
PID 2640 wrote to memory of 1276	2640	f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe	82
PID 1276 wrote to memory of 1700	1276	Pflplnlg.exe	83
PID 1276 wrote to memory of 1700	1276	Pflplnlg.exe	83
PID 1276 wrote to memory of 1700	1276	Pflplnlg.exe	83
PID 1700 wrote to memory of 4932	1700	Pmfhig32.exe	84
PID 1700 wrote to memory of 4932	1700	Pmfhig32.exe	84
PID 1700 wrote to memory of 4932	1700	Pmfhig32.exe	84
PID 4932 wrote to memory of 4568	4932	Pqbdjfln.exe	85
PID 4932 wrote to memory of 4568	4932	Pqbdjfln.exe	85
PID 4932 wrote to memory of 4568	4932	Pqbdjfln.exe	85
PID 4568 wrote to memory of 4204	4568	Pgllfp32.exe	86
PID 4568 wrote to memory of 4204	4568	Pgllfp32.exe	86
PID 4568 wrote to memory of 4204	4568	Pgllfp32.exe	86
PID 4204 wrote to memory of 2344	4204	Pjjhbl32.exe	87
PID 4204 wrote to memory of 2344	4204	Pjjhbl32.exe	87
PID 4204 wrote to memory of 2344	4204	Pjjhbl32.exe	87
PID 2344 wrote to memory of 1328	2344	Pmidog32.exe	88
PID 2344 wrote to memory of 1328	2344	Pmidog32.exe	88
PID 2344 wrote to memory of 1328	2344	Pmidog32.exe	88
PID 1328 wrote to memory of 1432	1328	Pcbmka32.exe	89
PID 1328 wrote to memory of 1432	1328	Pcbmka32.exe	89
PID 1328 wrote to memory of 1432	1328	Pcbmka32.exe	89
PID 1432 wrote to memory of 828	1432	Pjmehkqk.exe	90
PID 1432 wrote to memory of 828	1432	Pjmehkqk.exe	90
PID 1432 wrote to memory of 828	1432	Pjmehkqk.exe	90
PID 828 wrote to memory of 3268	828	Qnhahj32.exe	91
PID 828 wrote to memory of 3268	828	Qnhahj32.exe	91
PID 828 wrote to memory of 3268	828	Qnhahj32.exe	91
PID 3268 wrote to memory of 4156	3268	Qqfmde32.exe	92
PID 3268 wrote to memory of 4156	3268	Qqfmde32.exe	92
PID 3268 wrote to memory of 4156	3268	Qqfmde32.exe	92
PID 4156 wrote to memory of 2016	4156	Qceiaa32.exe	93
PID 4156 wrote to memory of 2016	4156	Qceiaa32.exe	93
PID 4156 wrote to memory of 2016	4156	Qceiaa32.exe	93
PID 2016 wrote to memory of 3380	2016	Qnjnnj32.exe	94
PID 2016 wrote to memory of 3380	2016	Qnjnnj32.exe	94
PID 2016 wrote to memory of 3380	2016	Qnjnnj32.exe	94
PID 3380 wrote to memory of 2880	3380	Qmmnjfnl.exe	95
PID 3380 wrote to memory of 2880	3380	Qmmnjfnl.exe	95
PID 3380 wrote to memory of 2880	3380	Qmmnjfnl.exe	95
PID 2880 wrote to memory of 1656	2880	Qcgffqei.exe	96
PID 2880 wrote to memory of 1656	2880	Qcgffqei.exe	96
PID 2880 wrote to memory of 1656	2880	Qcgffqei.exe	96
PID 1656 wrote to memory of 4928	1656	Ajanck32.exe	97
PID 1656 wrote to memory of 4928	1656	Ajanck32.exe	97
PID 1656 wrote to memory of 4928	1656	Ajanck32.exe	97
PID 4928 wrote to memory of 4360	4928	Ampkof32.exe	98
PID 4928 wrote to memory of 4360	4928	Ampkof32.exe	98
PID 4928 wrote to memory of 4360	4928	Ampkof32.exe	98
PID 4360 wrote to memory of 2248	4360	Acjclpcf.exe	99
PID 4360 wrote to memory of 2248	4360	Acjclpcf.exe	99
PID 4360 wrote to memory of 2248	4360	Acjclpcf.exe	99
PID 2248 wrote to memory of 2008	2248	Ageolo32.exe	100
PID 2248 wrote to memory of 2008	2248	Ageolo32.exe	100
PID 2248 wrote to memory of 2008	2248	Ageolo32.exe	100
PID 2008 wrote to memory of 404	2008	Afhohlbj.exe	101
PID 2008 wrote to memory of 404	2008	Afhohlbj.exe	101
PID 2008 wrote to memory of 404	2008	Afhohlbj.exe	101
PID 404 wrote to memory of 4500	404	Anogiicl.exe	102
PID 404 wrote to memory of 4500	404	Anogiicl.exe	102
PID 404 wrote to memory of 4500	404	Anogiicl.exe	102
PID 4500 wrote to memory of 2964	4500	Ambgef32.exe	103

C:\Users\Admin\AppData\Local\Temp\f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe
"C:\Users\Admin\AppData\Local\Temp\f4aa717b264abd15ef06c7a450d246dce17e63b24d6bebbd764eb3fa6148991b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\Pflplnlg.exe
  C:\Windows\system32\Pflplnlg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\Pmfhig32.exe
    C:\Windows\system32\Pmfhig32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\Pqbdjfln.exe
      C:\Windows\system32\Pqbdjfln.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 396
        77⤵
        Program crash
        
        PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2024 -ip 2024
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
55KB

MD5
d1c766feefc1d9c9ef106fbe39ead5b8

SHA1
e62f22e9731f6d16e254a65009a11429c2ae54ac

SHA256
a1dddf4ba4bac766d6bde4e5a68bb9a168af00f698534219972c10fdb2aec6f7

SHA512
c7527789ab305b4781062bb6bfb30499f9a98452548aa8ce86cde74e69320e1bbf9dd306de7e8fd5cbe00fbf0b56bd275b53093b6dc988bb33d55c0ca114b85c

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
55KB

MD5
f6991fb125e1e01d2209e2aa2fca58b9

SHA1
3347f3ec1a6795820efeca33bc94d65ed5b75f9a

SHA256
dc12f57c9eec6d4f53ae0702f41bf89f096c1ee11c88cf12e203f1a1d160cdfb

SHA512
5c7ddccbb6eff5cce7bb6fdb553fcf5c9504222c13baf6e2cbfcfcf52c49e106d17bdba909cdd451dcb29d9cec0060fc03b55b39eb73b6f5f67824c7f42bc3c0

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
55KB

MD5
e2fb2373c8ab919e4f759a340c01980e

SHA1
e07eef4d78b59713b0c451e2c1626369c2376541

SHA256
e2f43c7ddfbd278f5f428566fe6ade1f981777def8b4b9b1fa0edf5a32d67c59

SHA512
5aca477e5d3c5d7a9e69bd16c151f0551a7ef4293d8c9df8f277c3a248e08927e548712c6cb24693c1b064f5cd7b0ad20767802e58ffa95e62dfbddcc3a47692

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
55KB

MD5
669d4df8574c91d13112e466c541808a

SHA1
a76aa676e090ccc7b7a9334916c8e1bba3e0a2c2

SHA256
628fd4ca4196bda000db9e6516f10829f9e944cff2855fbffd0c2238cd815bac

SHA512
9b00ab0570e758bb63db51fca383c99c447e46c64df044c978ce9bc5758618c64e21638b4689d88587ed7e60c361615678e1175d3502069cc0a470458cab51a4

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
55KB

MD5
8cc6ce4ff23c3435126d0a9f2b22e25b

SHA1
2c848c41ee000e638afd48415e448bf5a16cc281

SHA256
1e80b038d5e91fb5a4e4f5f170ad30d3edf4507319c567f637a5afc42671b3d9

SHA512
ee2aafcf3ef294c404f347882a670e91bc082a1c9676ed5bd2e24a4823786619f3e59f4e9f1f6a059c3d89a4ba3027276cb71f74bb386b6b3ca68fb9c47d84df

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
55KB

MD5
8d81db9025ae8266655c2c1a0571aed9

SHA1
2dd4c8d8769e2ee7eb87a914859530b92b660c4c

SHA256
47fe8f946ada5624167cac6030098f1d8a19e9370906f7186c81d048bf81ba08

SHA512
5a89b4e78ceb4f3ed27e5edafa85e631ac6fa8375d7712f981bc6bae94566000d095ad24d764f0571377ff3ac1bc122453ef1eff8d8116d023ce43f859f3857d

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
55KB

MD5
608f6103de0a333e6536757f5a2194a9

SHA1
0e8bc9a58261ff455aaf2206ae2e5c2bf61e499f

SHA256
40c4bde6e3761be637fe00dca8dde8e0bc0d566ed5f5f394980a67d86cba6d87

SHA512
49a5673208d60e3d777873ef51d540fccae1b46a03cd7d0cfbf5f1447ec2e08c02d056f073a7333bd50f347ea2ec386c0e66a15648812b8bd36aed56ad3fb35a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
55KB

MD5
93512d072fcfaedfc92be87d9c699b70

SHA1
cf68b63c154af42bdda8dde19f53a5bb4ade4a77

SHA256
bce34ffebe6b7aa5049f8761f6df9ed8526635bfe856f9c66329de1dc95e8d81

SHA512
1c1e97f05509265d24001974f1168b10e3804b84364947965c3b166103a2d37f13b984d26b6c1c4d66721a4d3e59182cd63fd8bf6a26ef2138546a60d5d8cbab

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
55KB

MD5
276c32b6520ebe5e33e95623f76e576e

SHA1
538a7e7172b336697f44e36a3256c27430b87ee3

SHA256
85f7ce0dff497c0a3a88a5bbaa281d46b488b40e23d7071d2b5320ee132d79a1

SHA512
7bd1bdb80e226373af752b11d3272a9eb6deebb55fe73d911a168f8354061b318cffbbea36f535f55cd88391bd726143eaa2755d1d9bda07a1bcc4855e3541cc

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
55KB

MD5
7a26e5516faa68229bf0f2f2fefc1a57

SHA1
ea9747be96c28a6fe9a5940d78ce1d1552de8956

SHA256
3854a1e7f4c7a5b3dee7ee2739d6d0ab0253983554840a8f1f216e8a2b475bc9

SHA512
784c45bee6555fc4c6db144996dabd230c56e37ffeb9ed2cbcb891e9e56690f0b12482d3b5145d0cf955581880f18ff3a53571b7fae04faef04721d501bd2c24

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
55KB

MD5
fcc0a8ca7ad37b032fd95d49cc4dbcee

SHA1
af89802ed557c259fe5976f884dc302de07608a0

SHA256
813a309011dcb4de29f0631d634a9862ea6fb6b593d408c855b4ca86fe8fc6e3

SHA512
1cf2513509bdff71acd8f053120fa074108d9676a00a04091eeffc576198b2785caf57afac3f94ee05058ceface0f9b14361a8b9ad0fbf48e9836e993c4850f9

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
55KB

MD5
0a93f3a0351444ff9ed44e148e931e3d

SHA1
d907eecd9cb1b9750ed9c44c9376a64a27d4f086

SHA256
ffdab9d0e76a4025442cc4938158612ebb7552a40cf66b10dea30b7265f245a5

SHA512
d538559fec751f242646f5cb40901807bf6c28c610c722eb675b67b4c9ae2961d08be18e9eaa756219a3e100c81aee5078f0135a4ac215f66b31d9df75a641a0

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
55KB

MD5
e374ceecf88e7217b89e792584c8ba70

SHA1
bf73024ad4e972f5b0fa4981b9472733a6a32fc0

SHA256
1f56886be95c654cd9e3076fec2481aeca94468bafdfc6654f93e4492100e999

SHA512
90be6bdb9db9e00cd7a0618075b378f9d7d3d3d779a9f1f03d7359424becfaf5f3b5ab485b1f678a5f62a764425a5e38bad0573edd207b0109396319ca828350

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
55KB

MD5
4cc75deca5fc6852de639ee39359544b

SHA1
91163dd672574cb1df7380b264e1d7cffcd5f104

SHA256
bcfa732b20592d8dee5e4b1008d8b94c153e5dfc543d1f0dfcc3cd62a21a1e0f

SHA512
cecf7e36d151b6bf2b27775bec0465f17da5d8097893f732ebff63b4f966b061b6a4015a7f6514fecb72372ed49eaefceb0205adcf75ace1d663984d8e255aae

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
55KB

MD5
db59216984a09227df9cbf635029cac8

SHA1
e4a76634a17ae9df11b4af8f0d89ced8118fca54

SHA256
376742d3b806d825721f8f29e61db8e455d7977aa483417ad18c7bcceb6a31cd

SHA512
5dd0686879ce0ae6068eb2f60bd6544e54af6f4f867c4005bbcf4c2052384d23a9af2533e430c62cfbc92e19d934d618934e2e0e9a8d928769d369c100bfd809

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
55KB

MD5
72c31ec1cb62eddd0dc3f677db2322da

SHA1
30e6a8581cbe2f51817a357d5f8ad15c6d474252

SHA256
932fe4ba3ed725606e80d969e7ff5e0d060707baeeb2cda92aa22f84f082b6ef

SHA512
12a1e86f7a76afb34aa97bf5bbc85aaf26f4d5e11091084c83e57fd45f1b78b8b0875beef0824e6e2c6490f8d18fd4c926fbe3df4c004799050e1b00efc89968

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
55KB

MD5
6b865c85d129a4cb8ad9ebbb76d6b6ab

SHA1
eac3c1bdcf35c945ffc205e6a1039877fc5a2e50

SHA256
84cbd8e1d089200e8121377542f4bc74ee599b7361350231b81c8f4329410ece

SHA512
c21c6ce0e21719b969a502cdce22738f6d5cd7ad150329336b5162bc32acc030bd05cf5c7da796194753ba59a1a41a38d6a1642803b1da71399e9ae0bfbff75e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
55KB

MD5
597aa7b8904a45d009b11f0653218fd3

SHA1
ef8bb589438db5a6a1cada461f0aa7b5777c5ee7

SHA256
9f5b17acfdfa63229c7496b1939ad200a74fb7c4e65539629eb025aa904d1e95

SHA512
d37b4405bfd500221647a6d7b5b543fa9e295049e48318c0ec46f319363da2e50b5e3589396968718c8e465fe0b709812ad872040c520f2899749235bd3cd33f

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
55KB

MD5
1e4d80bc255fa073a484047278fb7e71

SHA1
a6ece1642e08a07dcd4575c6af526594ab289db0

SHA256
6125d5758d9ee4fe061784eced79e4f57542e89a4ac7293d64b83708bbd174c9

SHA512
0bf368f36e1433ad28e5672ca2d2f649d5695f7d313d5dfdcc8e50749134a1cade353ae9f7d0e942c5f810c4e75c322717c3dc9f897cd34552dde44617f7be56

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
55KB

MD5
62285107a68da9f4defde76dbfb0d385

SHA1
b0e6f0f70997135fa387e431799194c86364d6af

SHA256
b09d6f0c0a65e2a5b3e43d8c24b1a575226de9dddf85eaa062d9429f8def75a7

SHA512
81647adcf2798e8b137aa3e30a70c18f35c7846e52e23280a656f243b80ce53596076eca5aae4d74f4c4297310f4d81b96209ca8c303cca661325533903a195f

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
55KB

MD5
b35ac961ba432b193bcc9b896b5c26ed

SHA1
10498187972b3571227e25e126051a46e7058494

SHA256
63017ae1405c9496239457f4af2f601ec3f8de859ee7271e8bf928149eaefd5f

SHA512
880f252d25d5f336e849d141aca7a65443d64cd06738fae4828aed5f25109c9cd02a038ca441ccd58ec40380f153e65061cad3e4bc99dfb5e76f8355a35c852b

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
55KB

MD5
5a7b25834bfa395a560b31642fcc8bd5

SHA1
ed2f2c6dcdcc2e607ae92cd0ce83bb8565f4b834

SHA256
514afda1862c1c6e657c0f21aa8e0bd0e06195f1a506da52f254f43af1e9947f

SHA512
7863c23faacfcb5f3db0ce391e3a0a6fdeacc65f4e7d978a8dbea4eec893120d77817dfb4268a96d0c085270c25f4b1a4305273100165da4000c34e38adca970

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
55KB

MD5
2e8fcab7971e6508c6d660061f610637

SHA1
2a42f19645d9543874f48f2996fafda075d6314a

SHA256
719fe49e9a692de5d82aad79e715be543f9989c2d50b10fab8059eca854c4285

SHA512
6fa493280060bd099950efa1648567703f1c41c05aa8bc25bda9b3e81fc44f2fbed62b3688de6a6eaa8a38be8cc20f4cc42fe5d83008dc3473347e39aa28723c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
55KB

MD5
4338b21715f061955152c2686deb0aa4

SHA1
7569b8a041b896f1386f23b7902328190b6b9ee9

SHA256
b8ee98f6af82d9195cc4fd638199de3ced0e5e9651d84382124414d354ce9715

SHA512
5256b2032181fa37bed983c79f86f1f3b5c78ecc1d554a2350286fbd0456c81a558ff00c16da0013de0d562e26dd35ac7cc77b6e2f6f107568412dd0349a785a

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
55KB

MD5
cb8808f37dca032c4dd81b3d60a6c825

SHA1
4923fd34d1fff0cab9d236a31975f15560fedd14

SHA256
7cf596a2e52e4e221046533eea368f27964e67f5a9033352b78640270eaaad54

SHA512
b30e7c0493debde7f2602731beca0d0df631526bd9a869e79e0d94cefb1ce4e2dabc4190cc1fef3f257d35012296e3c761d9784bc1d1f993032661386bf8d192

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
6e0ad27196de417ad7d29177abe5db84

SHA1
cc2d36de062d2185387c5cb50f49f06cb870f40b

SHA256
4d87bb58ef73ddfec09f6ab496acff88fe8f73970c0391b27ccd5e133af0b201

SHA512
a172df0bd7d7c5f18bc6d2fab0369605a4d61ab94c6038fd47059da0260e357cc39940107156486e13ff890a9d8165233a7ea71b683bf2bf9bdec375f086f3f7

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
55KB

MD5
bd1b0418f776ee8ccca7d36e0c4bae21

SHA1
2f7e28d6f89052a5e6db54db3771c66b63f5edae

SHA256
10632964429ef63c3ba970276f009c82f56de585df5d2ca41f8a503c9d901a29

SHA512
d8b2ce1339906c11d8e8a6bb933cc0e0074a458dd4e794ceafa6110bf694fe02eee34c96537309a73d91652f2319fb4852fb7e2cc3e16fda014c4c0a5fd762a6

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
55KB

MD5
baa9c8f75b6ef2171652e0ea34dbcb36

SHA1
3f892347ff64d1480a385c30d5a62bc7dcb5aaf9

SHA256
264b5a115e73a3ab7c5b04a679b09e0ea07e4eb36f287b00c71fab7eaa5dbbea

SHA512
b4febeb804643defd4fabd9fefee336b00fd0f7ec87e857f79aa9497b4b00ca080bd31c8e7050ef1b13bacd3cafb2bc1b2ea6a9bd35a0b1605325b4e4175eba5

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
55KB

MD5
bd1f2487e9d15bd5fa935ce7ba2bdb56

SHA1
c324120faa95cbb4260dee8407828c07e8034f0b

SHA256
69e2bde6d584394a561ebd591013d38d0c868cb4f0fa2a371612044bac5a1c6f

SHA512
8fdecbc6da5f154f316cd13f52eaffd8943dd3f69f4b7ae3f52cde9d943309fdc4da2861c063e302fb627123889e69e9719d8706ac19aaac9973433b932f22f5

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
55KB

MD5
dc3386dea5bfb4f3e61fd9fd5cf28ff0

SHA1
f29f953b98a81b7698a35b5c72681551b7737f83

SHA256
86abc9bca323a73a05ab3cd30587b2464be53df711c0afaf574192dbffc8df36

SHA512
be644ed76136a2632a88ba02cae275e69db99dccd0e8a1fc5e7e5b3d3328bdd4646c68de5d0e286ab7d34b81f3cfff54b4e6d05b7c63e8cd96c71313fb05c583

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
55KB

MD5
b470ac2fb900d9bf760f9275b15c90cc

SHA1
074e1db5e01039b5e76fc5cbca4e934e393fa41b

SHA256
595f4f9982984c3b8ed4d9c815bea4166641e13c3d35880af6c1f9f313ba6db1

SHA512
4e132070d5649eda43806a4d10cdc65b92c8668fc9f9666501285e5fb9bde18ff91ef9fa9f0266284a1ef51235be0208b2712d7c718b758dfbbc7bb5f9e0eeca

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
55KB

MD5
0f1afd0112267152e4ab27c36ab43603

SHA1
8eaa361718f90ba153096280b0791afde2b20e02

SHA256
729a2ef791558f6a43d82b4d180087d547679dc90ebf600cfdee953f7ea7eba6

SHA512
38c4f41290c0ddb20b6eb089718586df797cd53f97afc59630bc445cedc5b68ee84a015e28cd7dec3760cd60982fb11ec4102d6f05b3ba77e875fce6acc42b7c

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
55KB

MD5
14ecec51435b5cacae4974fddff954ab

SHA1
19cd3083c403e79fb2597d8470081b4e340b6cc7

SHA256
746b406c4a6252131c60a004af019f43b53fe161d5b6d323d045415ac9621589

SHA512
8a61dd38746aa458fdcf8edcb294b79114789315cd5bc4fc3adf6973eb230773d3553204cdeffa735121579700bba79a097bd53557c83d18259ed411c054e475

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
55KB

MD5
1ca95f2e53dc82d877babd2d3db767b8

SHA1
64b57a10b0037eb995ae024b60df61702775f129

SHA256
bfbf1b720c896c642e7670d64d0c78be0096885e8e8faa1ea84fbbfdc4d6809e

SHA512
b4543e26755391464d7479166083e9eb7643db692f047155bf0b334edda962d1a84f4644dd2589a9c1dca6509a5eaab96abd13d2fc7470a6bfb089367d575baf

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
55KB

MD5
a027ae6532b97b7e77e4f9dc4e071f6a

SHA1
1a321b6daf2f54357789e6af0113a42ba0ce8613

SHA256
c9cb0fc4853dc04c5bb6a07c92b48760c5c708719aa12f850d51ddb5a8407d12

SHA512
c91c213cceb696efde4d5a62732d88879cd5a3b4269dace501bdb17016d96736bcde5be86c60b74a82b8b0034990daa169e01a846a5f34a3bd10512fcf6c78d7

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
55KB

MD5
9f2dbcec0d12b5d2e2b0220b6d00cad0

SHA1
c3c224f42e90c3d49ce0d83c7aa3f6786dbdd55c

SHA256
e2b1ef0ad045eae4fe5334d8a9e6da9a0c41baa236200d74cb4169141e126914

SHA512
2abc73f5e3ab2a148e7c0d2159137ccc8d5ec3211d1865555aa20a39515071eeec71e71325112eec9ae1013022b0e3c1a9a22c073fd90c8ceba2090ea00b9e7b

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
55KB

MD5
27b0de93c173704e07d8df36d6a7a0e1

SHA1
5fc5a8f9ddda12dae9e6d0dcf57f638ec918fba7

SHA256
1eabe309603141a5ac9ba88606f2d5730f777ff03b9f4ebe8743664ac71139e6

SHA512
472fc891d8af72c0ac67d327f1d0cad6b10b8a5c672439e4e420f0bd178a4259681575fa1c101829488ad14753562faa5d0d4a53f93a3e65ecff2d8fcee5eeda

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
55KB

MD5
ebc6e11ba136fef74baf3e2240767f00

SHA1
4ae608eddbc1b9b488ab7106e7458b99e8a1f486

SHA256
47918867acf58e23abe6027c2941aa6ff95a8624de5e868a709da6ab3732f4a9

SHA512
fe80d001482c1ed5a16f681881245a2f82d4bb40e6bcbab071a1ada7cdd57a902f3c93f90fe53b9c8a4c722455dccab09f33690b504781a10a7153160f0e3f42

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
55KB

MD5
f0b8d38b09dd5fc4736e2657f01b8c27

SHA1
1ac4494048dfbbf8377e2df4f98a73424e35c2e0

SHA256
7bd2b0fbe862ba1c9d280a32237ffef16a989137cc3fce9f601ae2e519a4108d

SHA512
af865a601de5ecf782c3fcc2522323e8dd2f79cfcaf27879fa64f2920062f1897b8ee4caa4291af0f9d4ee8a2a1d5d0720ff3c2bcd448a8755c34bb0802dd105

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
55KB

MD5
98f758d5a8b24781895df90f7b32e630

SHA1
2a9269df1bedf1109e1f594d79a5886a12b0858c

SHA256
5480aa41f743658474e2fe947542f353c544fd9466ee84b559d484c7c049ef5f

SHA512
0e01213be81c871bf5e453e2fa2756153ad0475719beb94aeaf90ef18963e74baea7a43a3a00b02c4a717261244099372c652fc54b1894bff0bceb54d150cd23

Download Submit
memory/396-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/656-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1048-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-534-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads