berbew | a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2N.exe
Size

443KB
MD5

b88e967c3ae5f718215bf112d37f0f60
SHA1

d62558405cd07566d472aa59cd01b99d8a9e384d
SHA256

a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2
SHA512

3867ed00c4039761df4470e0cf0e035c10fc7afb5a443437169b33ae7e2132341773509e22c52e1983d1635eb1bad5d765187e0ab65f2f8b7ff3bc17d7459f81
SSDEEP

6144:70K6aPsq7J7zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszeXm6:YzaV1J1HJ1Uj+HiPjC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1248	Opdghh32.exe
4868	Ocbddc32.exe
208	Ojoign32.exe
1880	Ofeilobp.exe
1524	Pqknig32.exe
3124	Pnonbk32.exe
3496	Pqmjog32.exe
2276	Pmdkch32.exe
2040	Pflplnlg.exe
3432	Pncgmkmj.exe
2344	Pdmpje32.exe
4320	Pgllfp32.exe
1952	Pjjhbl32.exe
3112	Pmidog32.exe
4144	Pqdqof32.exe
1092	Pcbmka32.exe
4684	Pgnilpah.exe
3544	Pfaigm32.exe
1328	Qnhahj32.exe
1576	Qqfmde32.exe
1420	Qdbiedpa.exe
4004	Qgqeappe.exe
1080	Qfcfml32.exe
2400	Qnjnnj32.exe
1752	Qqijje32.exe
3108	Qddfkd32.exe
1936	Qgcbgo32.exe
3016	Qffbbldm.exe
1836	Anmjcieo.exe
1788	Acjclpcf.exe
4612	Afhohlbj.exe
2020	Anogiicl.exe
4844	Ambgef32.exe
2240	Aeiofcji.exe
4604	Aclpap32.exe
3696	Afjlnk32.exe
2512	Anadoi32.exe
4420	Aqppkd32.exe
4016	Acnlgp32.exe
2936	Afmhck32.exe
1348	Andqdh32.exe
1156	Aabmqd32.exe
3376	Acqimo32.exe
1924	Afoeiklb.exe
3836	Anfmjhmd.exe
1696	Aadifclh.exe
4648	Accfbokl.exe
512	Bfabnjjp.exe
548	Bnhjohkb.exe
5004	Bmkjkd32.exe
4220	Bebblb32.exe
2980	Bganhm32.exe
3300	Bnkgeg32.exe
1564	Baicac32.exe
3260	Beeoaapl.exe
2416	Bgcknmop.exe
3612	Bjagjhnc.exe
4052	Bmpcfdmg.exe
1628	Balpgb32.exe
1944	Bcjlcn32.exe
2252	Bfhhoi32.exe
1472	Bnpppgdj.exe
4664	Banllbdn.exe
3784	Beihma32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ocbddc32.exe

Program crash 1 IoCs

pid	pid_target	Process
3604	5396	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 1248	4300	a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2N.exe	82
PID 4300 wrote to memory of 1248	4300	a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2N.exe	82
PID 4300 wrote to memory of 1248	4300	a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2N.exe	82
PID 1248 wrote to memory of 4868	1248	Opdghh32.exe	83
PID 1248 wrote to memory of 4868	1248	Opdghh32.exe	83
PID 1248 wrote to memory of 4868	1248	Opdghh32.exe	83
PID 4868 wrote to memory of 208	4868	Ocbddc32.exe	84
PID 4868 wrote to memory of 208	4868	Ocbddc32.exe	84
PID 4868 wrote to memory of 208	4868	Ocbddc32.exe	84
PID 208 wrote to memory of 1880	208	Ojoign32.exe	85
PID 208 wrote to memory of 1880	208	Ojoign32.exe	85
PID 208 wrote to memory of 1880	208	Ojoign32.exe	85
PID 1880 wrote to memory of 1524	1880	Ofeilobp.exe	86
PID 1880 wrote to memory of 1524	1880	Ofeilobp.exe	86
PID 1880 wrote to memory of 1524	1880	Ofeilobp.exe	86
PID 1524 wrote to memory of 3124	1524	Pqknig32.exe	87
PID 1524 wrote to memory of 3124	1524	Pqknig32.exe	87
PID 1524 wrote to memory of 3124	1524	Pqknig32.exe	87
PID 3124 wrote to memory of 3496	3124	Pnonbk32.exe	88
PID 3124 wrote to memory of 3496	3124	Pnonbk32.exe	88
PID 3124 wrote to memory of 3496	3124	Pnonbk32.exe	88
PID 3496 wrote to memory of 2276	3496	Pqmjog32.exe	89
PID 3496 wrote to memory of 2276	3496	Pqmjog32.exe	89
PID 3496 wrote to memory of 2276	3496	Pqmjog32.exe	89
PID 2276 wrote to memory of 2040	2276	Pmdkch32.exe	90
PID 2276 wrote to memory of 2040	2276	Pmdkch32.exe	90
PID 2276 wrote to memory of 2040	2276	Pmdkch32.exe	90
PID 2040 wrote to memory of 3432	2040	Pflplnlg.exe	91
PID 2040 wrote to memory of 3432	2040	Pflplnlg.exe	91
PID 2040 wrote to memory of 3432	2040	Pflplnlg.exe	91
PID 3432 wrote to memory of 2344	3432	Pncgmkmj.exe	92
PID 3432 wrote to memory of 2344	3432	Pncgmkmj.exe	92
PID 3432 wrote to memory of 2344	3432	Pncgmkmj.exe	92
PID 2344 wrote to memory of 4320	2344	Pdmpje32.exe	93
PID 2344 wrote to memory of 4320	2344	Pdmpje32.exe	93
PID 2344 wrote to memory of 4320	2344	Pdmpje32.exe	93
PID 4320 wrote to memory of 1952	4320	Pgllfp32.exe	94
PID 4320 wrote to memory of 1952	4320	Pgllfp32.exe	94
PID 4320 wrote to memory of 1952	4320	Pgllfp32.exe	94
PID 1952 wrote to memory of 3112	1952	Pjjhbl32.exe	95
PID 1952 wrote to memory of 3112	1952	Pjjhbl32.exe	95
PID 1952 wrote to memory of 3112	1952	Pjjhbl32.exe	95
PID 3112 wrote to memory of 4144	3112	Pmidog32.exe	96
PID 3112 wrote to memory of 4144	3112	Pmidog32.exe	96
PID 3112 wrote to memory of 4144	3112	Pmidog32.exe	96
PID 4144 wrote to memory of 1092	4144	Pqdqof32.exe	97
PID 4144 wrote to memory of 1092	4144	Pqdqof32.exe	97
PID 4144 wrote to memory of 1092	4144	Pqdqof32.exe	97
PID 1092 wrote to memory of 4684	1092	Pcbmka32.exe	98
PID 1092 wrote to memory of 4684	1092	Pcbmka32.exe	98
PID 1092 wrote to memory of 4684	1092	Pcbmka32.exe	98
PID 4684 wrote to memory of 3544	4684	Pgnilpah.exe	99
PID 4684 wrote to memory of 3544	4684	Pgnilpah.exe	99
PID 4684 wrote to memory of 3544	4684	Pgnilpah.exe	99
PID 3544 wrote to memory of 1328	3544	Pfaigm32.exe	100
PID 3544 wrote to memory of 1328	3544	Pfaigm32.exe	100
PID 3544 wrote to memory of 1328	3544	Pfaigm32.exe	100
PID 1328 wrote to memory of 1576	1328	Qnhahj32.exe	101
PID 1328 wrote to memory of 1576	1328	Qnhahj32.exe	101
PID 1328 wrote to memory of 1576	1328	Qnhahj32.exe	101
PID 1576 wrote to memory of 1420	1576	Qqfmde32.exe	102
PID 1576 wrote to memory of 1420	1576	Qqfmde32.exe	102
PID 1576 wrote to memory of 1420	1576	Qqfmde32.exe	102
PID 1420 wrote to memory of 4004	1420	Qdbiedpa.exe	103

C:\Users\Admin\AppData\Local\Temp\a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2N.exe
"C:\Users\Admin\AppData\Local\Temp\a6a89b52e12093da533c5267f032c88f5f2e91bd89bfd795840a1f40fd6570a2N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\Opdghh32.exe
  C:\Windows\system32\Opdghh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\Ocbddc32.exe
    C:\Windows\system32\Ocbddc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\Ojoign32.exe
      C:\Windows\system32\Ojoign32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        25⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        48⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        63⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        74⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        77⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        78⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        79⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        80⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        87⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        92⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        99⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1404
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1488
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 396
        114⤵
        Program crash
        
        PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5396 -ip 5396
1⤵
PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
443KB

MD5
09f585bdf99797fd6fdbed24b970460b

SHA1
e2c2c0c57427a75f3903aad2b9f87ae331856597

SHA256
d21ff2ae05ccb14a2851cbdbf74b1208710046a30b2721b9aa7f62029b1abe3d

SHA512
1d2e9f8b1cbe80f69769674d71017648d58fb3e1081d13f0d80745ec9b5aab88ac790fb9e3bb5d084fca96213cfa2cfa0bc11e878fdbb5ffd395bcb2f2870c31

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
443KB

MD5
beb172957b900f7bc4181fc70e513e3e

SHA1
4a884d83f5a72be2318bbc02b666154cf333e492

SHA256
900e0b520c292bba486ff88bb9f5ed5bbbbbbbf54cfa9245ebdc91c3892073a4

SHA512
8dc49c74d33640bc04168634c3f56b58eb2058b2d89b88ec87626fe8a2546f4fd59d76d3d40ab1ffaaced0d9fdb0bf217ca0c17fa73e39d792c38ecc1576c0ae

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
443KB

MD5
55f201f1878bbd7fad49a9bedc9b609a

SHA1
5c4ea035442a123197058129272191eca613b2b3

SHA256
3f47482ccb7ae2759931a457056abbc5fbcd0894c950e0bbe83558531864aab4

SHA512
2b21b98daf918db4e8519016030119e0b2e08d44dc5e29cdcb10bf608075dacb1f7be5e0637948fb1dc8a3a2c8dccb400bf9ac59f9490d293e77f1962a9c569b

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
443KB

MD5
62d007dc264c40df3fba822ca964dddc

SHA1
3c9c3c1d223e63990118dd6ff784550b325d1faf

SHA256
3f05a6032d500fc5d714a294faf3504f1ed27745d6bcedead1698dc31b0b1505

SHA512
3f7fea5495595eba633ab775ec16238d05ba46578b16b3521c650b0bbb288403683ce6ac1a6c7483c3591f92e0ffcf5a128aefc18a46e741960ba85e25cb4f80

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
443KB

MD5
936c050e72b52a3c71af0af9256373f0

SHA1
74791cdce4aa40df7485fc6aca1f9ab902860ef5

SHA256
bf3cdf98d823f5892e5cf2bf6324afeeafee03b9486f5bca76d2b752b0abed66

SHA512
af6fa29caa1ba059738e8a9a7480e6060cc1116d3ce910891dcebcfba0f82247385232e28a4d5af8763820a0bb87fc9f14d85bc7ef0d29b62601d475fe531d46

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
443KB

MD5
7b681ae0fa508c17731922a46baef115

SHA1
ae13f89c3bac7713f2f3968f54dbcd8076db3e4e

SHA256
544eee2f25596e343ce536f847774257f034864a34fe33868f6370de1ea42e09

SHA512
31bd1cd260d27842eaaf162c51e8b01382fae3717e6449fdb07b02be1607f450a8bc3233e65cd888d5d640dd46b6beb898897fa270986194f646ec2d49ffb7d4

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
443KB

MD5
028bb78acab0dbf6aeb812721b2a6738

SHA1
e5b4fcaeff144d23e359499436e4c3cdb818cb72

SHA256
d417b619fe6a61f0a1d679267b984434f4177bd79001fea725c26c657fec368b

SHA512
5090cd31e27daee7f1d9e6c205346f3821bad8fc4e32218be8b7ae3b5e44c1a853bfc8e40ffe1e188997fc1c3837217a0e1b95283bc94a9ee3d6e4b13797b67d

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
443KB

MD5
cc46a0d08842972cd050f4b0490eed92

SHA1
611b6420f6b05a891dac739f5d4bebde4dfa31eb

SHA256
a34077d7165db320d2c929bed5f471da717d3acf13c7a2f70ef429749eb12f43

SHA512
549289cb0d92a0d8fa01b068e75f1d41158982fa8a641ff804850ef12bc23a7f12531542fe9f3338ed692da71e8ef40dceab2b2d53c26b86825188bbf3364b82

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
443KB

MD5
e29f097da6d813be0592af5d5e65cb93

SHA1
1c59f3f1a73f411e038cb3b34fe91cc8940694a8

SHA256
0ac6c399bb73fc94acff781676cd0d081c6502138c46938b4d349e1b12102b4f

SHA512
e5d38f0fc286c49c3b0c58d01fe2e9dd745b3aa3950f1f52e6c621f496963e804de0b5307fc7c34f6765d040890890632f35a196e420e28d4e435f42240293ac

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
443KB

MD5
2c4179c3cdf58702fecb57033f964e25

SHA1
50ecf6cd6fbe6f9ae0b5ee9b98f2f4c9febd3218

SHA256
4abe7769bf67d5e827dfdbd4a0233ad9fb5200929da331e36731acc41c672685

SHA512
793e06aa9e625277824ab1c2c5081c56935b573a3330f1008943abab822540ad01864626f3b48b106176a3d32eb01bd4f5eff10cf39238b6948b7efa2fdaf8a8

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
443KB

MD5
92210fbaa8793542f17ca790b877dc0c

SHA1
f48911a05534935b563f43230418ddda87b395bf

SHA256
fda9949181f9ebe20007635a3dc90d20931c8863c3226de05cd04d314eda91f0

SHA512
8d0a222753bf8df100cfe211556ef33edafbfe650afe0927b661a84b534c8d6bb0881e2001a3bf2bb25ccd2cad3588a2b4f7b55f5d141bc6c51904ceef7b6995

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
443KB

MD5
37d001ea2695e7bf77ef2e87eca6416c

SHA1
50a2dd05dc837790f64765d7d71891c6e6ef58ce

SHA256
16e1c76ddd30444c3972172727f5e92d3077140dec42ae67f995bf53cfcc9378

SHA512
688f9528d7e9f6fdee66e4a9232634c47c1529fbaadda3dba8093cf76b9585df4c90b54d80a5e94dfd6ede8fe035238c290934cd5445ed1f5a8ccef044291d72

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
443KB

MD5
d24545ddfb0bb5e0e37646a1a42229c9

SHA1
5e04af6cfe637056ff10f910d5b8d061f0a89c1d

SHA256
1552d66c9c0c9d10347afab83d3f57c627b1d82ba29d02e41f053d187b7d0a07

SHA512
e31eb166a321d4f38f786077fe799d4eb3df9f23dd63f345b6649559ae680a054ff2d51e9888a9d53d08fb646bcd4fb1789bb6bd3d6fa2af2046ffd1623956a3

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
443KB

MD5
cadd41be6ce476e9b3b28f2b94e92db8

SHA1
7c41f3107e4e963d5a93c2c37c27a73d61d9d185

SHA256
28cdd1032467ce4db94fcb04c396074aa6f97501f4cf8a53e78d24f77112f715

SHA512
0202f9597df1b5b17d0f49fdfcdf481d36544a2676ed3555e7fb3a6227cf29121b79861a06ef12d90d9c385ee9cc8e929bdba768e0a89ab570fbf750591e08d3

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
443KB

MD5
8f2d8bddcdded28bc59f20f82d211640

SHA1
e9f65979791e21cb070cc4a53fc7b91ed1cbf253

SHA256
40913557099fd444a0cc1e3fbcc3b4be232c93701c7333f9c09aaf3ef873c2ad

SHA512
7a4d6a4cf081e81d7a1321c0563a8b64546ee24df83993f34ec6732165a4cc210f984af432a7ed85940627d16a86d7af64f606e1594b5180fe09bf9491457ff1

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
443KB

MD5
52823df50d1281cc59790823a8a7f793

SHA1
4a12a1415bcce98fbedd46ede1a31d51cfe5e4fb

SHA256
b3b462fe3fc3e5aea353b2cff5607de7de9c86428bc547fd37acce233daba559

SHA512
d820bf149fb13e196c24eb18d80c52948434f2a057a10e4fbd2edaf0cb24136fd3be574b2f77e719ec1df2e8cfd4aa126bd15228b916aca4d3d13689a8073d8c

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
443KB

MD5
3d6ca937a37a11e60bc0862e1c434ffe

SHA1
b4d55aeffc65324e3f4db62ae94e6eeb3a43df3d

SHA256
c311941d4e00f0ce77986638633fb6b27a344e45c943b19cff26e7288fa3f17a

SHA512
731e89b29b63846d3c9daba8ba66d747634c4653f4ff323d5ef87fa6aa84b832a3333aa5b0429df5c0b118e1929a07de59cfbc516fdc8f068001d2fc713eff0d

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
443KB

MD5
31340f0675e23a742fc5e9bb8bd121a8

SHA1
32b465c769b768429cebf160573e4564a02360fc

SHA256
364a754d5402f86be4800b53c2afaf9fd70c1f56677197a796f0cbe4e921c813

SHA512
972518e87cbbcd850e490b79ddff1cbe40f076efe5e5f29f0edb59ab9cc1630c07d47629c020f193b5175d806a0a20fa3d1aff753c51def862dbbb74b0490439

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
443KB

MD5
7d3a9632f0b28ec5353db97ac17c34e6

SHA1
18a1d61b238203da667c61bb678c334cb421c20b

SHA256
b4ecc6f9dc914613d5870d4bc772cbee9a7fd78cde2955b125c94f681aa327ef

SHA512
05e5e5b59924dac47d5e276f8483069219ca21e8caccefa0a6f55ec34d2143965eec9417c87c68c706850966bfafd5ab808124011acfe846e4b77b32993bf836

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
443KB

MD5
b81e2dea78109e1928d1f4f920375a82

SHA1
836fe87e962dea7456deec52e9b04a6bdcddf096

SHA256
814ad1f1134308cc8a54ae4a2f0d7fd5ba90ea6416fd87eb6a4f5732584e3e9f

SHA512
a02e33b0d3981623608f13843cf15a93547ef72d2a13c87ae39e34c9a4dd69becf7cf50f142f4863b2fdea3ea35444b32c98d912f63cdd6dc0556c138763f884

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
443KB

MD5
f3e259dee0609aefb4eef8a5d8d89e00

SHA1
44f77ff0154987476b894c162de8d080ce8315f0

SHA256
5fd60121fe9117911106a5bea6008d5b624754bae0db1e8eecc872677d678165

SHA512
b853b8172f2d4b31ec4469ebbec096a2d77a9117c7a8c98322f16e4fa6e6cd73bf5f3b0e3b6bfa142d76914ca697aae42690b9309c71a173bc1e42247cd939ad

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
443KB

MD5
525cfd26783d919560c85540b754120e

SHA1
702ff1f3f8bdc5ac8d5ae0bdfde6d9658375676c

SHA256
b471576e9e422029641b55b9601b68c7a91fd0230faad1f3708827db98b8dee4

SHA512
5f7fb16e7f0ec4658f7bf625dfff6cd2a6bba74bcb7c412537c706b57ea5a1a42092ad043ade3b6a0a0bc4b8e8bb46d3b5ddd6fe3e122cdb16418a5e70c53ae3

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
443KB

MD5
4a4a9f6ab91c589f128788c8f0fd8c9f

SHA1
359cdd6e236ebebfc38eeba42c2c49b79c9f4c1c

SHA256
51713b92b88c1d1aa062a03385eca47be6ebdf6fa3612769fb58e740f131bb3d

SHA512
2382914742214e44095ef4474ddac14acf28c198d0c41e6b4b47b136a8dab06222bbebfe9688af3c8eeed4e247d9ece7037e8c1e5051148d045a75ba89a1860a

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
443KB

MD5
57d0f95c779203ed525342142f6d324b

SHA1
a3166f685f556a3004a6be0f0682f6a1e2a278ad

SHA256
7c47eeab4c4d6e68054f095320bc56fbbc018d3ba033077ea2ad4c07ca284bf4

SHA512
49ed367044e7dea074fe038a4c14334bb2f765c31b1f64fd375ff7d3b9aa2fb510cab76163cafd1ecab88bdc34220a602bde6af5a7fe8684dfb1706d260f97db

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
443KB

MD5
8b3351ba8f0e6006a89295c867638f33

SHA1
f0c577913caae6d92102cbc639476937985fb4c4

SHA256
d99b173c0a2bebd1fde1b221a9236a10c5ab62d92ea86508f76e676ead0f154a

SHA512
fddc444d6e5cbdc9d52899f4484290094381f6259563ba2323f3831b1b02d0aa8041b652105f96d5d0a758c3dae57b1a8682eacc471cb2684f76c9593010151e

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
443KB

MD5
4419ce2cbf94f432d9f17ff355a3cd2a

SHA1
6de6ea4a75fd518ff52354c7ead9b87ecad23434

SHA256
e7a4c2f41c6610690edc26a52778ef0b6be201d208f9bd62f97b535467265704

SHA512
1f16d1253d8f4dcd79083d09b69c1f9adfb66fedd2715d21cde9f08e2fad5703ce9b95b406aa4c39bd2ef024f4c16c6ad89414a273e30b60c45c72135794b532

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
443KB

MD5
5eacee2cc0a100c66b431d73a38f1b4b

SHA1
a5769210ecc563bb061fb1372815a7645119ee75

SHA256
65c64d5b3eb1e9b248934df7d1e440a02297a7eb84cf9d933fee166eafb7f7cd

SHA512
e4907276741686abb776a79928b7b5b6ff496c8b3be20275b3f122aaf112bb1367cc119982d3c1af61cd43ef7522b35de4bcf452013a1c5eb61e39778869e067

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
443KB

MD5
58dbcf1cfa010fe49cbf645c1638c820

SHA1
01d0138694fb7055fffd1c58cc0d5f082e437737

SHA256
1a26dbc9bf4629b81d0fcd4d50de6ff432412af76e969048a3d66ca8af950bb2

SHA512
83aca0b11394c843194bd0c9eaf7344ef65bc2c6f8728cd701e7b7c1adde9f84db9a4a455ef60291d5f9fef84c124555dc2af076f81d2a29bf3c9d28c928e260

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
443KB

MD5
670cd172cc7e6df4fcdb884c5e371ffa

SHA1
f7b8827a11e089f48e4844ceb3cb8de8d9ab7c71

SHA256
f3ea2a94bf3a391f937e3f4ac89eab4364a88b4d8d84276fc91f24c4fa63ce60

SHA512
b6388c5d8051d47334a9a3037c4c8564adf34570c3d930f40f43985d0380db51640c803318d8877d092b9ddc168367669ffa1bd918d9efffe3003fb9f23c1331

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
443KB

MD5
fd31e8774ce178acc999ab701a1c3b73

SHA1
7d94b4b973074f2d8bab743d80339aed22ad7242

SHA256
23bdf1ddcd69928c31270606e80f2dbd02069e613233a648dc88d253449645fd

SHA512
9078e84cd5e4622e7e8784cb2f95dd9207f18d5d87a8161878d0dfb6033355119a778d0408b10aad3297e0c909c1654e52f70f12356d13145a51b57f1f786aa1

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
443KB

MD5
09e01f6f646c8e5c9106edfa8026b67b

SHA1
947ad463cc35b28dae376f9f8256a63391ed054c

SHA256
9879f90d26aadeeb600dd4e5283f955c2906336964f32fabdcb2dffac7ff0eef

SHA512
6c912a550f626ab84e52b78f37b571e4679d3f3c661fd6bc18e9f8d20b2d7f71b4df372ec57ba3da736d5f757c9a2c0f2e5d79611da83f1e8883f3b49fe27551

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
443KB

MD5
b7001bf82b602fe92094ba233e46b7ba

SHA1
2d769d0a2b81ccc4e8e95af377127d64a0ef34e6

SHA256
859a0637e3091341528e1649bb4b1c97012b2349b45b3b339608af95bf1e0dc9

SHA512
000719d758ea206f6f79cf37893d49b0075f8c818710288347557be08a36ad23e11d17f7a28e092d7dbdad087391a54b180ddf75f6ef3581e89dd000c5d29f41

Download Submit
memory/208-557-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/208-25-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/512-356-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/548-362-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/748-754-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1080-189-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1080-678-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1092-133-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1092-636-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1156-320-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1220-481-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1248-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1248-544-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1328-655-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1328-157-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1348-314-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1420-666-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1420-173-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1472-436-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1524-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1524-568-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1564-391-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-660-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-165-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1620-453-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1628-419-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1696-344-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1752-206-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1788-244-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1836-237-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1880-562-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1880-32-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1924-332-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1936-901-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1952-617-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1952-109-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2020-261-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2036-475-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-593-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2240-273-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2252-430-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-65-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-586-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2344-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2344-604-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2400-906-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2400-197-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-403-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2512-291-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2936-307-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2980-379-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3016-228-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3108-214-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3112-623-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3112-117-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3124-49-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3124-575-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3260-397-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3300-385-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3376-326-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3432-85-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3432-598-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3496-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3496-580-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3540-499-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3544-648-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3544-149-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3544-922-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3696-285-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3736-487-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3784-447-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3836-338-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4004-673-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4004-181-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4016-302-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4144-125-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4144-631-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4220-372-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4240-493-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4300-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4300-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4300-532-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4320-101-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4320-612-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4604-279-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4612-253-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4648-350-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4684-141-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4684-642-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4844-267-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4868-550-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4868-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5072-459-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5128-505-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5168-511-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5284-527-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5364-539-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5804-606-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5928-625-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads