berbew | 5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe
Size

74KB
MD5

a01d51b75abef66eec8bec85bc11efd0
SHA1

2f486024adb15abef8c75fc61a39ebf382972efd
SHA256

5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2
SHA512

bea296eb0a16c2c685f832e2f823d74de217b19c1c021fe97883e978067002157f346b557149f5c2592e3e85321390222d925b3a7693db07719f9eb2659e96a0
SSDEEP

1536:/sduSNw+0PaqkuVr8/GEh8JbdurH41wgz:/SuSN3AkEr8bmJgT4Kgz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 61 IoCs

pid	Process
3320	Pcncpbmd.exe
5064	Pncgmkmj.exe
5076	Pdmpje32.exe
4016	Pgllfp32.exe
116	Pfolbmje.exe
3496	Pnfdcjkg.exe
1760	Pcbmka32.exe
2820	Pjmehkqk.exe
4952	Qqfmde32.exe
1916	Qdbiedpa.exe
4876	Qfcfml32.exe
3128	Qmmnjfnl.exe
1908	Qcgffqei.exe
724	Qffbbldm.exe
4628	Acjclpcf.exe
1236	Ageolo32.exe
2648	Ambgef32.exe
4464	Aclpap32.exe
1032	Afjlnk32.exe
3920	Anadoi32.exe
2940	Acnlgp32.exe
540	Ajhddjfn.exe
2740	Amgapeea.exe
1000	Aeniabfd.exe
5092	Aglemn32.exe
2636	Anfmjhmd.exe
3264	Aadifclh.exe
1856	Accfbokl.exe
2376	Bfabnjjp.exe
4736	Bnhjohkb.exe
2488	Bagflcje.exe
3336	Bcebhoii.exe
3500	Bfdodjhm.exe
4304	Beeoaapl.exe
1028	Bjagjhnc.exe
1896	Balpgb32.exe
1864	Bfhhoi32.exe
752	Banllbdn.exe
2236	Bhhdil32.exe
544	Bnbmefbg.exe
3004	Bapiabak.exe
4024	Cfmajipb.exe
4568	Cabfga32.exe
1516	Cjkjpgfi.exe
2372	Caebma32.exe
4416	Cfbkeh32.exe
4028	Cagobalc.exe
4752	Cjpckf32.exe
2060	Cajlhqjp.exe
3312	Cjbpaf32.exe
2168	Calhnpgn.exe
1608	Dfiafg32.exe
4516	Danecp32.exe
2292	Dfknkg32.exe
1992	Djgjlelk.exe
3852	Dhkjej32.exe
1460	Daconoae.exe
1780	Dfpgffpm.exe
3232	Daekdooc.exe
3040	Dhocqigp.exe
1144	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4996	1144	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bfhhoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3320	4456	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe	82
PID 4456 wrote to memory of 3320	4456	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe	82
PID 4456 wrote to memory of 3320	4456	5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe	82
PID 3320 wrote to memory of 5064	3320	Pcncpbmd.exe	83
PID 3320 wrote to memory of 5064	3320	Pcncpbmd.exe	83
PID 3320 wrote to memory of 5064	3320	Pcncpbmd.exe	83
PID 5064 wrote to memory of 5076	5064	Pncgmkmj.exe	84
PID 5064 wrote to memory of 5076	5064	Pncgmkmj.exe	84
PID 5064 wrote to memory of 5076	5064	Pncgmkmj.exe	84
PID 5076 wrote to memory of 4016	5076	Pdmpje32.exe	85
PID 5076 wrote to memory of 4016	5076	Pdmpje32.exe	85
PID 5076 wrote to memory of 4016	5076	Pdmpje32.exe	85
PID 4016 wrote to memory of 116	4016	Pgllfp32.exe	86
PID 4016 wrote to memory of 116	4016	Pgllfp32.exe	86
PID 4016 wrote to memory of 116	4016	Pgllfp32.exe	86
PID 116 wrote to memory of 3496	116	Pfolbmje.exe	87
PID 116 wrote to memory of 3496	116	Pfolbmje.exe	87
PID 116 wrote to memory of 3496	116	Pfolbmje.exe	87
PID 3496 wrote to memory of 1760	3496	Pnfdcjkg.exe	88
PID 3496 wrote to memory of 1760	3496	Pnfdcjkg.exe	88
PID 3496 wrote to memory of 1760	3496	Pnfdcjkg.exe	88
PID 1760 wrote to memory of 2820	1760	Pcbmka32.exe	89
PID 1760 wrote to memory of 2820	1760	Pcbmka32.exe	89
PID 1760 wrote to memory of 2820	1760	Pcbmka32.exe	89
PID 2820 wrote to memory of 4952	2820	Pjmehkqk.exe	90
PID 2820 wrote to memory of 4952	2820	Pjmehkqk.exe	90
PID 2820 wrote to memory of 4952	2820	Pjmehkqk.exe	90
PID 4952 wrote to memory of 1916	4952	Qqfmde32.exe	91
PID 4952 wrote to memory of 1916	4952	Qqfmde32.exe	91
PID 4952 wrote to memory of 1916	4952	Qqfmde32.exe	91
PID 1916 wrote to memory of 4876	1916	Qdbiedpa.exe	92
PID 1916 wrote to memory of 4876	1916	Qdbiedpa.exe	92
PID 1916 wrote to memory of 4876	1916	Qdbiedpa.exe	92
PID 4876 wrote to memory of 3128	4876	Qfcfml32.exe	93
PID 4876 wrote to memory of 3128	4876	Qfcfml32.exe	93
PID 4876 wrote to memory of 3128	4876	Qfcfml32.exe	93
PID 3128 wrote to memory of 1908	3128	Qmmnjfnl.exe	94
PID 3128 wrote to memory of 1908	3128	Qmmnjfnl.exe	94
PID 3128 wrote to memory of 1908	3128	Qmmnjfnl.exe	94
PID 1908 wrote to memory of 724	1908	Qcgffqei.exe	95
PID 1908 wrote to memory of 724	1908	Qcgffqei.exe	95
PID 1908 wrote to memory of 724	1908	Qcgffqei.exe	95
PID 724 wrote to memory of 4628	724	Qffbbldm.exe	96
PID 724 wrote to memory of 4628	724	Qffbbldm.exe	96
PID 724 wrote to memory of 4628	724	Qffbbldm.exe	96
PID 4628 wrote to memory of 1236	4628	Acjclpcf.exe	97
PID 4628 wrote to memory of 1236	4628	Acjclpcf.exe	97
PID 4628 wrote to memory of 1236	4628	Acjclpcf.exe	97
PID 1236 wrote to memory of 2648	1236	Ageolo32.exe	98
PID 1236 wrote to memory of 2648	1236	Ageolo32.exe	98
PID 1236 wrote to memory of 2648	1236	Ageolo32.exe	98
PID 2648 wrote to memory of 4464	2648	Ambgef32.exe	99
PID 2648 wrote to memory of 4464	2648	Ambgef32.exe	99
PID 2648 wrote to memory of 4464	2648	Ambgef32.exe	99
PID 4464 wrote to memory of 1032	4464	Aclpap32.exe	100
PID 4464 wrote to memory of 1032	4464	Aclpap32.exe	100
PID 4464 wrote to memory of 1032	4464	Aclpap32.exe	100
PID 1032 wrote to memory of 3920	1032	Afjlnk32.exe	101
PID 1032 wrote to memory of 3920	1032	Afjlnk32.exe	101
PID 1032 wrote to memory of 3920	1032	Afjlnk32.exe	101
PID 3920 wrote to memory of 2940	3920	Anadoi32.exe	102
PID 3920 wrote to memory of 2940	3920	Anadoi32.exe	102
PID 3920 wrote to memory of 2940	3920	Anadoi32.exe	102
PID 2940 wrote to memory of 540	2940	Acnlgp32.exe	103

C:\Users\Admin\AppData\Local\Temp\5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe
"C:\Users\Admin\AppData\Local\Temp\5db01ead38da4a5ae7ecc35780fe2e5355f1cde0ea7dbdd274cb8768f674f5e2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\SysWOW64\Pncgmkmj.exe
    C:\Windows\system32\Pncgmkmj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\Pdmpje32.exe
      C:\Windows\system32\Pdmpje32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 408
        63⤵
        Program crash
        
        PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1144 -ip 1144
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
74KB

MD5
01b937e2a81bf21a97fac5656dbbed66

SHA1
e2ba2996d1d49fba1b832772fd5ee4b81349c7b7

SHA256
8664c22228a776768061e78c65a86ef0847a36b9b7b511f7a4faf1cd3d13f23a

SHA512
83791f3588f66c862bbed5e0348ef5763509be43ea5bd1d0655e58b523086af3528b144a7b48857ac3c34a375577bd58f1eec33c5a359aec45749f5bb1d459c9

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
74KB

MD5
d33ac9ada4c128080a4d2c0e0a467e38

SHA1
ba40455d791f08c7e775d96e4dcf85842cdcf518

SHA256
ebad3c419f763624fc19a8ae69e7bd08684c6f4c8ecc40b7c55796b7b485d0f1

SHA512
1afe6d46a44429dab07d034ff3d95e81025964c4fa22a85f32848c30d8200ac28846a7335a3537a4adf30f1f347ba2028fecaa6cb17b3fa690c2098ac43670de

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
74KB

MD5
440aee0603717c49fd04c70e1fc23533

SHA1
18921625c759af77afbd1fe241509bc0b5364982

SHA256
d5b40fad3aa7dcde62994572a87c8807ab435e45554b6813e886cd633b2e1b41

SHA512
a075d5c2b1fdc7f1dd66e97e79d9c2cf00b13bc2ddb3c2235c7c64b8255ed63985659b48b1e7a3faea553ac400b8d788dc0ba335f6e9246e16fe26e2197e3612

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
74KB

MD5
827792e78d06b15d8a3853c26a8ab9b9

SHA1
cd8abaab8693c65dc159d4341a0a9688309c7613

SHA256
2d5f6a4f28116755db1d9aa6f0455c0721982f284e6737479a0f0df9a996fb77

SHA512
65d6abba7162902deb5ce4249939521a2cd6bc28566b7cdf9ed615218f1c4cd3300e7d14d88ddd07fd9c841325a7a50bc9445e68054d6edb0c84e5037b720a51

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
74KB

MD5
07dafb10bf7225e375cb7a256252404e

SHA1
b0710cfa46f8203b7e77c0239b0cc148c1da0aa4

SHA256
74a5621a9f0890e4a71acc90d84d7f2c6317b102fbbe1872aa413f07455c3ef5

SHA512
5880358172c343b61761bb81fb19e9376f4c029121d356e45eafd1e8e7ddd7606f23d5f36d313f1b5216f6d7f2fb9ff416bc838e5fa9f2d0dd1687271c5ef41c

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
74KB

MD5
ebc4c930869f542ae4fb3e748621d9de

SHA1
f9e477d608d6e39472eef5709823e5c07f049fc3

SHA256
8fe3cb3157058456a48b4aa3d51d288c87f36c3cd5a5c6449034dc4449b26bec

SHA512
820df2a05556a2772bce6cebb2736f86bb04d9be5a1a93971ee5ffecffafde86009e3e649079ba755f6a70abc0373f79b5aacf09687bf62984c34cc9d3d2dddd

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
74KB

MD5
48f0e50c61b6259766e1755aae5accb5

SHA1
a980d9f7c26f0a4df5f2ae2bbde208566245298d

SHA256
a59f52a9801551b9fbd7d7eaa8b83ad49a6baa1831fa8e9fe4c195532d5cbc8e

SHA512
d8847786c5403b05c562fde7bd23000843c24cc9ee89ccd1c9e6d476fca6d2aa0f7974a962a140d7a60c5ca318eff78c5e608e16a642121abe68c147c738b387

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
74KB

MD5
791e9907eb4db127403f3a60a5f217a2

SHA1
1374cfbc9b6d8c4ecc488f8af936a71e26dcab22

SHA256
01b9a79e4f17a3b1e1833251051ac040f74c1bb725b7405df10382545f77fe8d

SHA512
6d00d27dc37100b84a254b05b8b85a359d4da617a79cc8d05c0194c7d414b62b6e6746f9de83baf2db2322180fb511087881e800f6d8bc409a70ae4580d8c063

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
74KB

MD5
19055a8abca4cea1a209f96b88193150

SHA1
8fba70448aa4d209d73e93ee04522c063f11136b

SHA256
3491c5c201d84e174a243e6ad72de54a8f74b1c6729d8ac53a9a142073a3ded4

SHA512
e95c3fba40f46861bb31bb9d4bdde4abc3a644bb3d5fc5d762cbd1ee9f33dcbc2668fa87fd37adf4e94b5ff6894fb13de2f39038df80bd4c97d614776a87b34f

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
74KB

MD5
242ac255dbbe2928e8c39442e4f38c19

SHA1
9b85b29d5cccf978880c344210b7ba7232f21e40

SHA256
eb2c3ebf940fb6f59870e48ef0a5f4cb7bf21620cebd20b811e52cb5ce907d10

SHA512
e56aa7aa8dfbcec739eaba40d33bb517772db42c888217295774870a34dbc69471a5bf1cb602b2456005a808bce097af5cf7cd42c07834b049fa6d5080fbc01c

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
74KB

MD5
eec2a99c4cec423d5f4a8fd877907ba4

SHA1
3cb91a1c72d67909736479fc3bc7e9952e528834

SHA256
e6e357eeca734812e9e30494b8fb7a5a9dc74e060583699c3e6b029403362726

SHA512
b29db24cd019d3a70726fca4d8666178d5543b8e6e9a4b6ddc9de62d5558721e50fbb3509081ec4fdd62fb4e3bd276cffe41f70b9ce28bf58123110a8beb9aa3

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
74KB

MD5
c51f140b2087030768a106150b6f5027

SHA1
8062a1163de955ed374e18a516f7176c209bd519

SHA256
5508ccaf66f765df664ba05117d8fac20891e345a765015ca5bf18d23eeff66e

SHA512
a0c3bc1a1d19b014fc4f1ae4108f35f565ed14a73dad7ea04e03477b2fb6e64c3fb71e1821741e9f612698ba1f4ccb49058e4bff103e26e9c8e20e1808883e1d

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
74KB

MD5
e01fcbea97f39dbf1e6f991f462e353e

SHA1
4c1a2708d0fa05a56f6cc84f640888170f46c6b8

SHA256
ac8d0c85649013ae2f34d9c2d833058864636e8b600a94789fc2bfd010bf18ab

SHA512
eb99186a84bc6d10787a68ae146777edec5d10e9cb9bc9ea0eacee8c558232f529e83a0b8114644afda63366d47431f896c26734bc36f08b8f445d6281ee5ced

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
74KB

MD5
0e06c90b35e92733860aca46f4e84ff5

SHA1
8ca1fb4c5e694207ddb77f3430d7934987726f11

SHA256
e51fd12027acfe699aa576ca2e04a0c6ba7fbef63684db9c02557a001ea92dad

SHA512
a86c229cb5bd7d9100a6cf9732e18b92fd4dc0df2eaaf429d79bbab38751fed55b2c01c723c3a39f5934df0dcb94705e1be014ed01a3bc3d04799cb6f6b15e80

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
74KB

MD5
870799588285ea1b2b2b5fe40fca3024

SHA1
1aec83ed4be79f9c28734c0f28ca03613977eff4

SHA256
fac141b2a3f2e9b44a025251e82e1a31105f898e321feb2b71591aaa566e818e

SHA512
fef790ea595d2585b54a4f8a2a0d10df4879c97cb0d434968e36fdef5f1ede7bd5e99525a33ef1b92ea91335a45c89bb2b9290804c304fbbe6fbfe07c27c281a

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
74KB

MD5
f8c925fe9182be872ab48f177b4f353a

SHA1
e294aa328d5f47e2c065bf57b9b66b438b79f598

SHA256
316e8d6ae786651da2d0240086afc40c4aa7af90450ec43deed7bb1b4057800e

SHA512
784daccc047a8f575c7d4d65601b2cd4ad827d9dc86d4fb4a38a08913561e0b46699f671e51b29882ccc737e3ba49c66874fb47ba7254cbdf0a55a7a5c7966ad

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
74KB

MD5
2bf767b09dac70aceb4f91ed944e24cb

SHA1
25d7c1712806816ba1492e63f105ba4fc7e8127a

SHA256
e0cf252ba29d8f2af121056fbf4f4bcc769c7c140560d948097446318beae57f

SHA512
84c305e2236883e1ac3ed87f30a1d7c5a0b2a30588edb30be933cdc196028fcad986e9c75217901b844a98aa2a10a525c5c1a27408c3407475455e6e690f58df

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
74KB

MD5
146b9d2939314d2d798a1dd54a0e6b26

SHA1
adecbfb5149256a12e2d27c20d34a6ca7d6dd6f3

SHA256
09d4f8c8fbf40edce561cc15e7ae52d68818de131dd712e2435238c8c48324ef

SHA512
f3c5bcc31037570a3334851f8107a964a2112469b949d509f690dcbddc2d2065001dd5920a0215f9abc7dc0f34d6c12af255aaff9a7774a9f406c6966b89ee5c

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
74KB

MD5
e219a40f1293bb4d024f17275e88b0ee

SHA1
2279bd5c27576f60d8157430bec3de09208276ca

SHA256
b8c10b9afb0a2769714eb77f241f435b6fd547d8f255031727f7255bce1c10ad

SHA512
6c7b44470c85386b0f03fd9d0dbe463123022ec79bcf69264fdb0b8d690f9123bc8c2ac65665416a1b413f63580c33f713280ba7da1f9a02a109a770058cf488

Download Submit
C:\Windows\SysWOW64\Blfiei32.dll

Filesize
7KB

MD5
fb8ee64124e51057ce1ef74da93e29de

SHA1
db141a5a6e075d5197d42ba785c2a693848e7d4c

SHA256
705b97a31e98ad9f80362144c4abbd50c1ec5c63742aaed008e6966194d939de

SHA512
c382c488a93de6a0388b30d3663270b99606863d33f0d2539bd7ac13af7439f5addbbb7844911b57935e2ab192373f14961b10d9a14d19aff2f460303cd2e17a

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
74KB

MD5
3270c23b83a85b5b00f84e692e272d61

SHA1
cfa95f4d6f45a47a676a1586a6a4d867fecf2e40

SHA256
0c4e2814d57c1ac4df3314d39f024acaed1ed11f1dfaa64442647ad256b47d4e

SHA512
3766e98bd0ad010205503664db68a9a5609e0f6a65713f86c754be0c2b10378ba23413757aa4ffb8f3448c1593dc51406558a549edfbe8ffa433603ce78f4d3a

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
74KB

MD5
8a6febd77d482013b5f97d0c59b1d62a

SHA1
96c7a8ad3a9b6cbf1675627f410115afcbb44bec

SHA256
41698a7c7ed14f13999f86d3fe8ff440645920ab39ce4e632ef8500faafec7d3

SHA512
ba0aacacf415cacd46c3e2f727c3c75fb433f77794d180e39c6505e4be019ed0315b59a97cde059816a51d8eb9bf55720c0136e179b7d6371817a84ee436ee3d

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
74KB

MD5
f7626acc2f716331429ce5320cb12fa2

SHA1
b7b55a475a233ac571c9418373d5b1dd4819d9be

SHA256
36b6058d5705d65e1a2566d831f69058c551f32671de3441ce0e9779221457cb

SHA512
dbc4ad31d39919e6c7bc885778d83b9fb4a02f0a2c1e630ff7f2354ae4447a04f0f9f449bbf044f53fa3a0d794e95ca6b2e1aeccf4d202fbd193823d5f6b9806

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
74KB

MD5
4083433f85e0cbb0c113cc754ca12f10

SHA1
999e6123a7e80e1a1366ddd7aa159b921080bffd

SHA256
4520333b072dbedfde45fb62848ce684cb1480678cc7c280343f4eecdadb47c6

SHA512
0d1aead0718abbb8e8d6430e9e7fb9b75ed895a7c55721a9ca27d3863edf9f25dbb2179612f979f042991542d30d2836f67e19e2f03f8a4d35461be1c7054475

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
74KB

MD5
92d9e5c57e35847fbdce5ef6b5bc72fd

SHA1
ee091bde5d2669c2bec02895de0aa9bc862c7525

SHA256
d3f485c9f830c8e9cee5dbac255527d49f7ddcf8e14963fc2dbf65179cb9dfaa

SHA512
778600b492ea551e148a264fd06fcdf03a2e5c8e1567ffe4fa8554e86f88853a46f6da60f3709c1f357a7c6e35b81931cc4d35f3d2a96bd1ea81a9bb545a78bc

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
74KB

MD5
3f4765e92240dea4bfa89d792952aeb2

SHA1
bf032a9a604052d78d1ca057518bc4a33a46d138

SHA256
c3a7ca3e758761a4bcb49b60d3a6ebdd82e6827330107fc4973c5965aa49af1e

SHA512
6328846f8fe9430b872b9b3714111df195fba0a462b9da76c8bccde38515ea8bc16fcf0a541e7a30f8a5e76f2956fe6c46a86d524f83ca61f7dc77c7a310782b

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
74KB

MD5
a917ff82f82613addfce3488d0d9a654

SHA1
50d44be94427c3bc1f8ae9c56b1ab913079d63da

SHA256
963722c9b208a286efe9c7e6533bbb5ed074ec41c261ff3b8b6f4f24ec58422e

SHA512
2e84dadbdcae8d54dc7b0a5b948494f0ead16375e201fd340a69d1eefb44d061e6608554354696eb36aac6a9055594e39ea6a07f7c3230b84e20f0d7fe9be991

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
74KB

MD5
852b218d6cc9a4e41f9aad5f6998c3f8

SHA1
67e63a6da37ffbeb44e989edf24c33288eb0a033

SHA256
de54a0a85211917317d84a9ae0491546e1a813b3a1ab1a612463b054b5c1b8c2

SHA512
6ee11e0389cafc34db45306e9a02a73af36dc9888e4d19b7c30f8a31d32d0157b204af3640df6289b3951a44402a76a79c4ba17015cccb193cc4e9f647b58ba2

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
74KB

MD5
5698d82cc376d60321ccae95b312140c

SHA1
66ad76ef190ec9718efa7df4792c776bada70562

SHA256
ed71838bf51ef6fedd534bce187476b3f309e6df49549ca7fd3e71a559f9b78a

SHA512
f3b3bd438e81a17f6d8c5d5b72432c74af610951a80c92f548fb5ce8fe955136bfa053ae970ad26b3df3fe6c84a1593a970715c0e731cd1c7611772138aa6bfc

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
74KB

MD5
bb97fa234fac688b02446ffde951b8d2

SHA1
dcebdfd7fdf3a658ba825aba97d73c450f82a586

SHA256
8048309d04bb6a08980fae156cd1ded69d8eab78720d27e5cfed8c43dbc799ca

SHA512
230a9450e9cc24633a3285e874c1006fd9b5d87470d7249851ba417a4c74277f5f0ff7321df5dfeebcc3245d390c29d5464f129f4426776a28e0c56d5f9bb072

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
74KB

MD5
44dbd3d750ace051e1fd884f73e45705

SHA1
6091601f5590714398bd5de7b7ce67c6a8463294

SHA256
90e4255f10fe522821e578bb084778345f985b333620192aa8efcb7eea32ca1c

SHA512
f0f9771311981194c467718c5d00ac311c5b984d40fad9e24a0c30daabab38182f4ceef5dd0afa6b68f92b51681ae6d2dd677cb124f24397fb198b5ec03dac02

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
74KB

MD5
ef2b555b964eb3900bdc1c26b661988e

SHA1
0b5dfcd1636212832674f57f748e2a1f7193bbed

SHA256
19532ae16b338d9c6b225fef94101c251577bdb0eb9375059c763155138cd0c4

SHA512
8fb8f2641c5153fe245c356b6ad0264150dc14a31cc11f747981536d147cdc3a849131b483be112ad6953dbc29e15c4bfa0962c4cfc4e369798a18b2432daabd

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
74KB

MD5
8797735267e3bb00be1479392af0805e

SHA1
30ad27ef39d7f69a63fa753f11e72f593bdf35e0

SHA256
8f09c2ebaccbad42d9072e496839b5f349292e05fd64286536283a8b40faed9d

SHA512
acb26beaa52ab80d4fc6d1f3c1f17434e5f40f564cd8936c9494137d811be7ed6318fd2d1850a035704882d98c7b187113b6fbe040ffca94dea2a5b425ebaa1e

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
74KB

MD5
61952a7a7fc56c30a5764a97d53ebf33

SHA1
8a2bdbdb124490a896f49f7096946e8fd9fa6ac9

SHA256
feb71a9a818e0f4adfd645ef9f8965e498efcef498dd7f510be29b8486a466b6

SHA512
a508c63d310b9411a74306b46288804c0673bfbabe476549ccbfa969fa5f0900de7b1c1113408fa2be9342023050567535ded2c5b876da374a405b1ffe542fe5

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
74KB

MD5
b5f902cb9c45f0356549459da75edd04

SHA1
c8ce9d17d2f2d213703822ca6927f941145ee4f0

SHA256
d74632248aa6d11d8fe50b5d8317c84b9b814250f0df66de5c7750a13a3b4bf9

SHA512
2d120c90122884dc267b518935e70f049cb98aab7ea0a0b1a536558c1f111f8ed30c32c4b8036a363570578f2759e6ce9f88de5a0f6d72f37c799fbfca34c0b1

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
74KB

MD5
77bc16b8926eb93ad7042c432bee7375

SHA1
91ed2d969d007f25536eb6f6e450efb9672f582a

SHA256
0fc0f7cf5ae54d31556e11a158c30f6a439c19f3a8397f085bc50061cbac9010

SHA512
f5a8bddd6bf90fd6f9fa539fb839079e39d10a8b9d15bed7002a2b1ae7cc58af6b58ba53da718207fd2c4e3fef144d340226b0c42887f9b9feffb9f59e168a8d

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
f44aa5d32b240d3944a8e3d8200a14ef

SHA1
6c76791feca8f42b94783b2828fde2eb714b1d88

SHA256
4a7690edc5ba616baf4285f4ea2c14fed66e076da93ec2d4158ce209b3e29981

SHA512
7d93c2001b3dbbf591d946fcddc094f1814ce414d430aedb80a3ac41075901db59e96e98577757d50d75449bd8b9fd666111563f096c1525fbf33fd0028e9601

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
74KB

MD5
62ab960a88f2c1c341dce4c66caf41e1

SHA1
4c35ba123d1e2ffa7e5b9aa4e7d33cb89de7227c

SHA256
dc5b5f2e2b51dbcd9b47848f4b1c4d5484b9d0a4566a08af586de1f606f579b7

SHA512
644b1da4f762a4ff8371b2026e3163a8127649af2ef3d04b804d6957a1e2513e3920e839d5f91d563b0728541f1a5876b8ed125e69c9d94bcbdcf76057dddb81

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
74KB

MD5
f8b4092d156486245e6ad30a81a4c8e3

SHA1
91cce28dcc95b2fccc5d93d14986cddc9fa0ad28

SHA256
0259a0eadcf49aa911ae153d54cceed13e17bb2b14ead66bd5dc77810054b2af

SHA512
3b9def61b66ba10319c98a034b4b6ed6312d9257099d35dc7b68350327033d4d71fefb994924179eecb887b746152634d763b7fb062fa8db7abebdb70c0abd92

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
74KB

MD5
2ac445bbe5ea74e8782995d3ce5dee78

SHA1
70e772a8edf1c9b3d8b779fad0b2b2af4a5d3b83

SHA256
4ed51d744c04068b64d91c63a1a756f064490ca4eb6ca257bf740dca135d99be

SHA512
693c3533cde64e8ae4b4f460ca1e90cf4f26f88b0431f04055dd9ed893b7774a9527304985aac5f3420e29f6eaed58e128f0dc6275140a1c53d061f3ef0cf9bb

Download Submit
memory/116-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/540-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/544-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/544-451-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/724-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/752-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/752-453-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1000-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1028-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1028-456-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1236-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1460-435-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1460-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-447-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1608-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1608-439-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1760-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1780-434-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1780-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1856-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1856-463-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1864-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1864-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1896-455-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1896-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1908-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1916-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1992-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1992-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2060-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2060-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2168-440-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2168-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2236-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2236-452-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-437-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2372-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2372-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2376-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2376-462-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2636-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2648-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2940-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-450-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3040-432-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3040-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3128-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3232-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3232-433-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3264-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3264-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3312-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3312-441-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3320-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3336-459-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3336-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3496-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3500-458-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3500-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3852-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3920-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4016-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4024-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4024-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4028-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4028-444-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4304-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4304-457-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4416-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4416-445-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4464-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4516-438-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4516-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4568-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4568-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4628-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4736-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4736-461-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4752-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4752-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4876-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5092-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads