berbew | b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9

Analysis

max time kernel
16s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
Size

85KB
MD5

db515418d3270a4e8186eb38097dcc10
SHA1

e4b4c35e57116bdcfc6752328479d233fd187b37
SHA256

b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9
SHA512

0eeaa304dae1943fcf2af658caf0e0b7ffb894cdc59c1946c7557c09dab95beb33c3911264a3b2434eaefebbeda2663969ab5881896ba21c3ce8653df8efc249
SSDEEP

1536:t8+Sm20V1m6y/HC6OylO7uXcNvvm5yw/Lb0OUrrQ35wNB5:O+nrV1mBHC6Ol7usluTXp65

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plcied32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqoaefke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfikc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkkblp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjppmlhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ailboh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailboh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pelnniga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqoaefke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdhqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdhqpe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podbgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pelnniga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkkblp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhkdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjblcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjblcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjeihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjeihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjhjf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 25 IoCs

pid	Process
2436	Plcied32.exe
2792	Pelnniga.exe
2760	Podbgo32.exe
2900	Pkkblp32.exe
2788	Pqhkdg32.exe
2704	Pjppmlhm.exe
2240	Pqjhjf32.exe
2172	Pjblcl32.exe
2284	Qdhqpe32.exe
2892	Qjeihl32.exe
2844	Qqoaefke.exe
1740	Aijfihip.exe
608	Aqanke32.exe
1648	Ailboh32.exe
2832	Aofklbnj.exe
2364	Aioodg32.exe
1192	Aoihaa32.exe
2492	Abgdnm32.exe
1812	Aialjgbh.exe
2884	Akphfbbl.exe
2600	Agfikc32.exe
2480	Ajdego32.exe
1600	Ablmilgf.exe
2280	Bejiehfi.exe
2984	Bmenijcd.exe

Loads dropped DLL 54 IoCs

pid	Process
2316	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
2316	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
2436	Plcied32.exe
2436	Plcied32.exe
2792	Pelnniga.exe
2792	Pelnniga.exe
2760	Podbgo32.exe
2760	Podbgo32.exe
2900	Pkkblp32.exe
2900	Pkkblp32.exe
2788	Pqhkdg32.exe
2788	Pqhkdg32.exe
2704	Pjppmlhm.exe
2704	Pjppmlhm.exe
2240	Pqjhjf32.exe
2240	Pqjhjf32.exe
2172	Pjblcl32.exe
2172	Pjblcl32.exe
2284	Qdhqpe32.exe
2284	Qdhqpe32.exe
2892	Qjeihl32.exe
2892	Qjeihl32.exe
2844	Qqoaefke.exe
2844	Qqoaefke.exe
1740	Aijfihip.exe
1740	Aijfihip.exe
608	Aqanke32.exe
608	Aqanke32.exe
1648	Ailboh32.exe
1648	Ailboh32.exe
2832	Aofklbnj.exe
2832	Aofklbnj.exe
2364	Aioodg32.exe
2364	Aioodg32.exe
1192	Aoihaa32.exe
1192	Aoihaa32.exe
2492	Abgdnm32.exe
2492	Abgdnm32.exe
1812	Aialjgbh.exe
1812	Aialjgbh.exe
2884	Akphfbbl.exe
2884	Akphfbbl.exe
2600	Agfikc32.exe
2600	Agfikc32.exe
2480	Ajdego32.exe
2480	Ajdego32.exe
1600	Ablmilgf.exe
1600	Ablmilgf.exe
1580	Bkdbab32.exe
1580	Bkdbab32.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qdhqpe32.exe	Pjblcl32.exe
File opened for modification	C:\Windows\SysWOW64\Aofklbnj.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Akphfbbl.exe	Aialjgbh.exe
File opened for modification	C:\Windows\SysWOW64\Agfikc32.exe	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Lnofaf32.dll	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Iibjbgbg.dll	Ajdego32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Pelnniga.exe	Plcied32.exe
File created	C:\Windows\SysWOW64\Pqhkdg32.exe	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Enalae32.dll	Qjeihl32.exe
File created	C:\Windows\SysWOW64\Cfjjhnge.dll	Qqoaefke.exe
File created	C:\Windows\SysWOW64\Okcnkb32.dll	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Abgdnm32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Qqbhmi32.dll	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
File opened for modification	C:\Windows\SysWOW64\Pkkblp32.exe	Podbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Pjppmlhm.exe	Pqhkdg32.exe
File created	C:\Windows\SysWOW64\Pjblcl32.exe	Pqjhjf32.exe
File opened for modification	C:\Windows\SysWOW64\Aijfihip.exe	Qqoaefke.exe
File opened for modification	C:\Windows\SysWOW64\Ailboh32.exe	Aqanke32.exe
File created	C:\Windows\SysWOW64\Jahonm32.dll	Ailboh32.exe
File created	C:\Windows\SysWOW64\Dcemgk32.dll	Abgdnm32.exe
File created	C:\Windows\SysWOW64\Hnjfjm32.dll	Podbgo32.exe
File created	C:\Windows\SysWOW64\Pkmnfogl.dll	Pjppmlhm.exe
File created	C:\Windows\SysWOW64\Hncklnkp.dll	Qdhqpe32.exe
File created	C:\Windows\SysWOW64\Qqoaefke.exe	Qjeihl32.exe
File opened for modification	C:\Windows\SysWOW64\Qqoaefke.exe	Qjeihl32.exe
File created	C:\Windows\SysWOW64\Ailboh32.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Plcied32.exe	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
File created	C:\Windows\SysWOW64\Pjppmlhm.exe	Pqhkdg32.exe
File created	C:\Windows\SysWOW64\Cbkingcj.dll	Pqjhjf32.exe
File created	C:\Windows\SysWOW64\Ajdego32.exe	Agfikc32.exe
File created	C:\Windows\SysWOW64\Bejiehfi.exe	Ablmilgf.exe
File opened for modification	C:\Windows\SysWOW64\Pqjhjf32.exe	Pjppmlhm.exe
File opened for modification	C:\Windows\SysWOW64\Ajdego32.exe	Agfikc32.exe
File created	C:\Windows\SysWOW64\Ablmilgf.exe	Ajdego32.exe
File opened for modification	C:\Windows\SysWOW64\Bejiehfi.exe	Ablmilgf.exe
File opened for modification	C:\Windows\SysWOW64\Pelnniga.exe	Plcied32.exe
File opened for modification	C:\Windows\SysWOW64\Podbgo32.exe	Pelnniga.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Akphfbbl.exe	Aialjgbh.exe
File created	C:\Windows\SysWOW64\Agfikc32.exe	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Akgdjm32.dll	Pelnniga.exe
File created	C:\Windows\SysWOW64\Pgmobakj.dll	Agfikc32.exe
File opened for modification	C:\Windows\SysWOW64\Abgdnm32.exe	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Plcied32.exe	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
File created	C:\Windows\SysWOW64\Ihdhmkjd.dll	Pjblcl32.exe
File opened for modification	C:\Windows\SysWOW64\Qjeihl32.exe	Qdhqpe32.exe
File created	C:\Windows\SysWOW64\Aofklbnj.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Qdhqpe32.exe	Pjblcl32.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	Aijfihip.exe
File created	C:\Windows\SysWOW64\Aoihaa32.exe	Aioodg32.exe
File opened for modification	C:\Windows\SysWOW64\Pqhkdg32.exe	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Abgqlf32.dll	Aialjgbh.exe
File opened for modification	C:\Windows\SysWOW64\Aialjgbh.exe	Abgdnm32.exe
File opened for modification	C:\Windows\SysWOW64\Ablmilgf.exe	Ajdego32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Ddmfllng.dll	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Aijfihip.exe	Qqoaefke.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	Aijfihip.exe
File created	C:\Windows\SysWOW64\Denlga32.dll	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Aioodg32.exe	Aofklbnj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	2984	WerFault.exe	55

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pelnniga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aialjgbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plcied32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjblcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjeihl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfikc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdego32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdhqpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhkdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejiehfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkdbab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqoaefke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijfihip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablmilgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkkblp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjppmlhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aofklbnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjhjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgdnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailboh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akphfbbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqhkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll"	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmobakj.dll"	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnofaf32.dll"	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqbhmi32.dll"	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll"	Pjblcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hncklnkp.dll"	Qdhqpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgdjm32.dll"	Pelnniga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibmchmc.dll"	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqjhjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjeihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjhnge.dll"	Qqoaefke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqoaefke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkdbab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcnkb32.dll"	Akphfbbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Podbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pelnniga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbkingcj.dll"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmnfogl.dll"	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll"	Ailboh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjblcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjeihl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akphfbbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ailboh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlga32.dll"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pelnniga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfgdd32.dll"	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdhqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalae32.dll"	Qjeihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdhqpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgqlf32.dll"	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjbgbg.dll"	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Podbgo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2436	2316	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe	30
PID 2316 wrote to memory of 2436	2316	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe	30
PID 2316 wrote to memory of 2436	2316	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe	30
PID 2316 wrote to memory of 2436	2316	b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe	30
PID 2436 wrote to memory of 2792	2436	Plcied32.exe	31
PID 2436 wrote to memory of 2792	2436	Plcied32.exe	31
PID 2436 wrote to memory of 2792	2436	Plcied32.exe	31
PID 2436 wrote to memory of 2792	2436	Plcied32.exe	31
PID 2792 wrote to memory of 2760	2792	Pelnniga.exe	32
PID 2792 wrote to memory of 2760	2792	Pelnniga.exe	32
PID 2792 wrote to memory of 2760	2792	Pelnniga.exe	32
PID 2792 wrote to memory of 2760	2792	Pelnniga.exe	32
PID 2760 wrote to memory of 2900	2760	Podbgo32.exe	33
PID 2760 wrote to memory of 2900	2760	Podbgo32.exe	33
PID 2760 wrote to memory of 2900	2760	Podbgo32.exe	33
PID 2760 wrote to memory of 2900	2760	Podbgo32.exe	33
PID 2900 wrote to memory of 2788	2900	Pkkblp32.exe	34
PID 2900 wrote to memory of 2788	2900	Pkkblp32.exe	34
PID 2900 wrote to memory of 2788	2900	Pkkblp32.exe	34
PID 2900 wrote to memory of 2788	2900	Pkkblp32.exe	34
PID 2788 wrote to memory of 2704	2788	Pqhkdg32.exe	35
PID 2788 wrote to memory of 2704	2788	Pqhkdg32.exe	35
PID 2788 wrote to memory of 2704	2788	Pqhkdg32.exe	35
PID 2788 wrote to memory of 2704	2788	Pqhkdg32.exe	35
PID 2704 wrote to memory of 2240	2704	Pjppmlhm.exe	36
PID 2704 wrote to memory of 2240	2704	Pjppmlhm.exe	36
PID 2704 wrote to memory of 2240	2704	Pjppmlhm.exe	36
PID 2704 wrote to memory of 2240	2704	Pjppmlhm.exe	36
PID 2240 wrote to memory of 2172	2240	Pqjhjf32.exe	37
PID 2240 wrote to memory of 2172	2240	Pqjhjf32.exe	37
PID 2240 wrote to memory of 2172	2240	Pqjhjf32.exe	37
PID 2240 wrote to memory of 2172	2240	Pqjhjf32.exe	37
PID 2172 wrote to memory of 2284	2172	Pjblcl32.exe	38
PID 2172 wrote to memory of 2284	2172	Pjblcl32.exe	38
PID 2172 wrote to memory of 2284	2172	Pjblcl32.exe	38
PID 2172 wrote to memory of 2284	2172	Pjblcl32.exe	38
PID 2284 wrote to memory of 2892	2284	Qdhqpe32.exe	39
PID 2284 wrote to memory of 2892	2284	Qdhqpe32.exe	39
PID 2284 wrote to memory of 2892	2284	Qdhqpe32.exe	39
PID 2284 wrote to memory of 2892	2284	Qdhqpe32.exe	39
PID 2892 wrote to memory of 2844	2892	Qjeihl32.exe	40
PID 2892 wrote to memory of 2844	2892	Qjeihl32.exe	40
PID 2892 wrote to memory of 2844	2892	Qjeihl32.exe	40
PID 2892 wrote to memory of 2844	2892	Qjeihl32.exe	40
PID 2844 wrote to memory of 1740	2844	Qqoaefke.exe	41
PID 2844 wrote to memory of 1740	2844	Qqoaefke.exe	41
PID 2844 wrote to memory of 1740	2844	Qqoaefke.exe	41
PID 2844 wrote to memory of 1740	2844	Qqoaefke.exe	41
PID 1740 wrote to memory of 608	1740	Aijfihip.exe	42
PID 1740 wrote to memory of 608	1740	Aijfihip.exe	42
PID 1740 wrote to memory of 608	1740	Aijfihip.exe	42
PID 1740 wrote to memory of 608	1740	Aijfihip.exe	42
PID 608 wrote to memory of 1648	608	Aqanke32.exe	43
PID 608 wrote to memory of 1648	608	Aqanke32.exe	43
PID 608 wrote to memory of 1648	608	Aqanke32.exe	43
PID 608 wrote to memory of 1648	608	Aqanke32.exe	43
PID 1648 wrote to memory of 2832	1648	Ailboh32.exe	44
PID 1648 wrote to memory of 2832	1648	Ailboh32.exe	44
PID 1648 wrote to memory of 2832	1648	Ailboh32.exe	44
PID 1648 wrote to memory of 2832	1648	Ailboh32.exe	44
PID 2832 wrote to memory of 2364	2832	Aofklbnj.exe	45
PID 2832 wrote to memory of 2364	2832	Aofklbnj.exe	45
PID 2832 wrote to memory of 2364	2832	Aofklbnj.exe	45
PID 2832 wrote to memory of 2364	2832	Aofklbnj.exe	45

C:\Users\Admin\AppData\Local\Temp\b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe
"C:\Users\Admin\AppData\Local\Temp\b34411d852c7198dd69e5d99cc57f969d42e0af5c25f3c1b79932928329745e9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Plcied32.exe
  C:\Windows\system32\Plcied32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\Pelnniga.exe
    C:\Windows\system32\Pelnniga.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Podbgo32.exe
      C:\Windows\system32\Podbgo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Pkkblp32.exe
        
        C:\Windows\system32\Pkkblp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\Pqhkdg32.exe
        
        C:\Windows\system32\Pqhkdg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Pjppmlhm.exe
        
        C:\Windows\system32\Pjppmlhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Pqjhjf32.exe
        
        C:\Windows\system32\Pqjhjf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Pjblcl32.exe
        
        C:\Windows\system32\Pjblcl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Qdhqpe32.exe
        
        C:\Windows\system32\Qdhqpe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Qjeihl32.exe
        
        C:\Windows\system32\Qjeihl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Qqoaefke.exe
        
        C:\Windows\system32\Qqoaefke.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Aijfihip.exe
        
        C:\Windows\system32\Aijfihip.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Aqanke32.exe
        
        C:\Windows\system32\Aqanke32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Ailboh32.exe
        
        C:\Windows\system32\Ailboh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Aofklbnj.exe
        
        C:\Windows\system32\Aofklbnj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Abgdnm32.exe
        
        C:\Windows\system32\Abgdnm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Aialjgbh.exe
        
        C:\Windows\system32\Aialjgbh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Akphfbbl.exe
        
        C:\Windows\system32\Akphfbbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Agfikc32.exe
        
        C:\Windows\system32\Agfikc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ajdego32.exe
        
        C:\Windows\system32\Ajdego32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Ablmilgf.exe
        
        C:\Windows\system32\Ablmilgf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Bejiehfi.exe
        
        C:\Windows\system32\Bejiehfi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bkdbab32.exe
        
        C:\Windows\system32\Bkdbab32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abgdnm32.exe

Filesize
85KB

MD5
57e8dac2c504fd303e8736b1c9b39660

SHA1
275a7b4546a1185728ab5c8c4962436202015893

SHA256
1eb3a9ad415d1e3d2629b3677ca3a18b51dd900b262ee7672bb90cb43f9f6ce3

SHA512
a04e189922730ef7237669a7da8f5fddb8b3246f1cdcb13f8526ee70065e57419d698334d5e2347a6ef8a9af5aeb6075bc7177be33c56809a8107f85397bfebe

Download Submit
C:\Windows\SysWOW64\Ablmilgf.exe

Filesize
85KB

MD5
27ab1b657262e47ae2e787d1fd75426d

SHA1
8c0e2dcbfdf2b39cce2a3c67f0cbb23ee991980c

SHA256
a8c3564f5732d772c9dc6cfb099aa8aff52296c092fc758ffbd1bf7532aad28b

SHA512
64be7bc9c4e7ff4b6320d9bb12e38695213be545580aeb2c4e08fc4150f8b6d4fbf89a54f016cbf4d7703831cbd1d18dc96c823a99d07d2e93c143777cc3e1fc

Download Submit
C:\Windows\SysWOW64\Agfikc32.exe

Filesize
85KB

MD5
ed9c70ace0660bfe8f063c051f9767c4

SHA1
174157538f4172c1332dcc0cca72bede4f6157e3

SHA256
63710fe5b7c4174553b3583842cf20da891f5c70de8c529889c027a283044075

SHA512
0bb843b1e2675a8b8edfeb9ca0c1edcf45d2f0a21a6d29c4e8884cba6e8878f721bf1d2ef633928de946407860bacdd5f5de470763b0c355609243c2435f1e97

Download Submit
C:\Windows\SysWOW64\Aialjgbh.exe

Filesize
85KB

MD5
03db007865056caf0f5e85dcad365915

SHA1
b9f180f98c90a4ddaf78f0a8203bf1afa528fc80

SHA256
bd34c2718d9de6c94ba3d1c27920153a93611e5e3e95dd685ba8556f7ab4ecd3

SHA512
4c7eb6dac7292b89b2da61d6b72bb3e772f519e9c8e7a0a9ec3cabfb103738ad21856b013869227aac8235d2c3ef9a0218fbb680116dca038c531f9cb39d1d71

Download Submit
C:\Windows\SysWOW64\Ajdego32.exe

Filesize
85KB

MD5
3d67843753820eeab4046b9e7eda0893

SHA1
dfefcd20fd3f8a4977be405fe8145f82c6b1333f

SHA256
3c0448743afd4bbfcff47b3d3efc013ffb90923a910736aed296cfb4c058cf25

SHA512
ed5fecc7f9f2f670198fd2e90b3f4e3b22fc0e6f313f7c193f7e47138997f43a7a410eecff62c75be229f5fe92f941ea29a280b50ac976244e25fddfa3f0e45a

Download Submit
C:\Windows\SysWOW64\Akphfbbl.exe

Filesize
85KB

MD5
b5c269eada4c476d38a94dad2301e88c

SHA1
dd180f10a1ca06ffd78167876d314f08f54e7bde

SHA256
7d3138a11fecf9f1d79d524a2b3328d448173e91141a434b83e341c671742969

SHA512
e3003f8a77d1705f7532dd7a4054c9e50bb3efd76f37752d2d2438145e5c466d4557966d93b1db951a638201b76d7cb3cf97e4772c3af11cffb6b44749fe7f84

Download Submit
C:\Windows\SysWOW64\Aoihaa32.exe

Filesize
85KB

MD5
6ac951f21746f8cf4e5b62fded1c17b2

SHA1
4b26504d3b1b25965a3b7fb64a7d8f325173e9fd

SHA256
a2c70eacffa138b9ab0707459b198efe43c4cc29acae69a1c951d77b5adeaa4b

SHA512
cd9262591f7fdb42436a248a19c7cbb033ab13eb85407c692e49ccabe443168b34039fc92c27a0a3ebae31b9a18277e1039628bdfa6bd0bf7d4b6cb28deda4fa

Download Submit
C:\Windows\SysWOW64\Bejiehfi.exe

Filesize
85KB

MD5
b8c0bfd5a43542b128f1c0a95fc0077c

SHA1
c247038ce85870078a919a6b4227ec0b58b0238c

SHA256
0afc90a6c0738ec9462bc4c5197eedd3d94a044300b4b0a1e95f8aa62c698511

SHA512
9bdcb530e17a14414cd5099b5e9b25b22678ac012c4d96c038c3bed1aca77057746cd48472b944eca45c7512ee49ffeaac8e7d54433c69f2e60538ef099608af

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
85KB

MD5
6b21531094603f5aafb3aba939dd8369

SHA1
f51b7f82bb7ff133ddda4b63d82cc66d1dbbe460

SHA256
466844d51c7749b78a048eabf352d433dd9a961c74391eba5e8923cd900d2daf

SHA512
ea613cce7599124679a1096c87c6ccc4e6f30336627bf149d20ebf4f414d3c9a3113209394b03b7259dc845bb128145cbad649ad0a7b308049c73feb9912911c

Download Submit
C:\Windows\SysWOW64\Plcied32.exe

Filesize
85KB

MD5
bb7d28d6a28246e1a71d670ffd94332f

SHA1
015b1bf7a3be8efa08f4faeddbbdab2ae763fdd2

SHA256
97a8510457be24ad68c47926078a9b555d0942971b52b5f7256a1cb4e6b751c5

SHA512
48e6e6a1004197548e58351ba0e6d0e71313a2ea648131c446f80081b933f4f2d8ff689af66cdc3cc7dcd4ed381419bbe4040ce0ae5494d33dd26a2c1e4bcf07

Download Submit
\Windows\SysWOW64\Aijfihip.exe

Filesize
85KB

MD5
bcd29f6353db4a074a3eb77bcb60f997

SHA1
5bd170f49f42e50468e8f9015336f8e383422781

SHA256
057b21b6324eb3da601d271e9483a84c75150637bc369c23471cdf3f7443d80d

SHA512
519c6a102b0c54c72aef0c21f2855ec358afb7c666d5b53761caefbe86fdc4cc83b360c8fc0b7b63cf59c39b555f57ca66651116e3af03aaefcbafd1e7881695

Download Submit
\Windows\SysWOW64\Ailboh32.exe

Filesize
85KB

MD5
6e2dd46ed9771c93c1eb05b38a88d69a

SHA1
c6c5b81f9a997c07d724854342d8cba96c3e3a34

SHA256
868bcb396962c2bb96a49f06c0c0bd38401054779980b089d33f6a6759688a4a

SHA512
d7f8998b32e8f3a190db9273a08e27389c95a5745f3b1bfc5b4e3a27f92a50a9c943a2b065bd0542d2396a5b8d5c5a0801dc878f4cd020c7d8024d631f83e174

Download Submit
\Windows\SysWOW64\Aioodg32.exe

Filesize
85KB

MD5
5aeb5b3132095d34faae87727b7004f0

SHA1
d9b446904e393c3e510e267b83f5710b7fe41494

SHA256
b08b361e4ff70fc43127e0044a529caf3f0fc203bdb450a41eef11ebff31d1de

SHA512
438b279fa76f26927a515ab32e9051f8d718908d9e108d02a655098e986487c01f222550b6755dd0316a4b903b47e1cc6b96f2b694b158ab250c51ee6d269a72

Download Submit
\Windows\SysWOW64\Aofklbnj.exe

Filesize
85KB

MD5
86ccf58539109d5b7ffca124ed17f80d

SHA1
fec86505ce823bfddff7d1905113e231c0faf3e4

SHA256
6c29fca2ba4edde335655aa3a28423f3e91bc52b8b6eae40f03644ea095c8da5

SHA512
5ade8f6cf9f211ffbd33bb4ed1ce723428b2eb7ade3ec0f81f12614e5c33327d28614e27eef73136ba14f4e4120345bcec7a346ff4a5bbfe1c68735493e93e91

Download Submit
\Windows\SysWOW64\Aqanke32.exe

Filesize
85KB

MD5
84f2592861fb8a8f297adbc84af55059

SHA1
37e8ed8dd5b83d2f6401cc5261e09cca1e26604b

SHA256
198b092f4834770e7d68c910d27f9586132745e7aef006cb601503ca8d16b4e9

SHA512
f35b4e400049e3d256253b03622e345105298fc3357650f559dd1faf03ffba8d915288fabc21d2adca0da097425a0bc3f7df32783842be54d41bbd7e73f30977

Download Submit
\Windows\SysWOW64\Pelnniga.exe

Filesize
85KB

MD5
3a430a02308dbf498f7cd748d9d84bdb

SHA1
7ee81a72ef3c953498ded42df762693553a8f7f9

SHA256
801bdfe7485d8ac710d62455d3605a48cd661c95ec052e78b51c924dbc437465

SHA512
83b90867c0b1120d46c46612fc9fe194494c184984d5562ad7feb318921576c9fafff958f3b7f5312cdc0587b351b5f3c1450275eabedf740052b8acba797d6f

Download Submit
\Windows\SysWOW64\Pjblcl32.exe

Filesize
85KB

MD5
e058dd2bd4c652a40e40f2dadf1ed7ef

SHA1
c671283f4cec11808a55e84e827ec5fbb79681d1

SHA256
ee6056473d567173946525fb4d6642450ff776099015046c1a7e604ef773c84d

SHA512
3c3b1be21e67eeeeba39edc0872e9bfbce117e43f8b12aebd793fc6dc841888f8af4a058ad89f8b56a3cdbaadaae5fad92cebf64f0d68bf659c0780fec2611a1

Download Submit
\Windows\SysWOW64\Pjppmlhm.exe

Filesize
85KB

MD5
3722c156c7c60d7dbb638e6932acc26e

SHA1
7385e9c9a3a848a3ca5095601cc3f4033070f8b2

SHA256
4aadccb42e4bd3ce0fb5330b5e0d1d98be48c0a3156c7e021941f2982bca9cf2

SHA512
cb85bbcb5a395c639acb2d7d7317c1c1d6e43fa7f18497dee74c7a043ba7fb96c562a59375ecd5d07bf3e1562ea462ba7d711e3151b1942b777a6d1aa323c49b

Download Submit
\Windows\SysWOW64\Pkkblp32.exe

Filesize
85KB

MD5
03222a5b4986d0d6e229739fb4df039f

SHA1
93aef1bd0c8d3f282c2274888479d4daa342bc56

SHA256
f1d0e6401624a76117c852d582fa9e5264f57cef60150edc472f214de6120d3b

SHA512
05722f138e8e673bddad84c1c46bf25ececee8e8b41726937aa6dd653f536143a8c1741494e614d2a264afeb9316b5a3c061cdb6e69862493767ab40d161bbb9

Download Submit
\Windows\SysWOW64\Podbgo32.exe

Filesize
85KB

MD5
c4556ca45e162ebc66df925ed5817f1d

SHA1
6603185a657776ce847deb8d463a554b8e26dff7

SHA256
5ebcca4db764ec15a1287f1ce1eae55f10b597c968187b3e77311de0f845e959

SHA512
c6c34c2e4186fd68e5d7ab3547cba5195d15024b551ab9a9ccab70c08ef9effbcb8cde2a7a2e09e120143e2a179727dadc416c1e6ee6b7d105ee7f0f64cd4c52

Download Submit
\Windows\SysWOW64\Pqhkdg32.exe

Filesize
85KB

MD5
43cf230f434a0a9b4f7ea401f414c019

SHA1
3bfdfa44c879c7f318c5c403dd88a9ac7503dc53

SHA256
1057a7b31f5b895452b7f9ee931ac5c8cc053d37c28aa0de9c488f19c3df5857

SHA512
4bfd801736538d8268ce0802316220e0193179e8c6c9e4727e663813a60565101a5ac1acd70054405395fb53e26441cb1cc8b813a254a9ed892d03c951fa6a93

Download Submit
\Windows\SysWOW64\Pqjhjf32.exe

Filesize
85KB

MD5
2d678ef6d847730ae77eadc0886b465e

SHA1
d537709cfb7dcf39cd6553723e75806d62378e5c

SHA256
840c8a619391638fb77ef6b7d6989ef28e5dbd685c3b75904bcf50d8e05ac612

SHA512
1351ec6f8073115fe4cdafe032252a3fd2490f34ca07a274ee04c112849bf057436acd8879e23f36c7f00634e0f2694590b1d17578b34fb1642125b559f04f1c

Download Submit
\Windows\SysWOW64\Qdhqpe32.exe

Filesize
85KB

MD5
a5785eed11c8ee7d5e8193c3766fb989

SHA1
10922db6b1321bb5141e2576717ea2e1be4bb10e

SHA256
747f0a478ca4b2db4c118f062107c555dc2774a4ae0c0cc82477f50411415dd4

SHA512
8d01c00c74371db93b98664f088e1e5b4b64ace02692cebe3f540797cb5babd9cef1c876ebaf9a24809671a43b459c6c684607bb745872e9b11e95e1ae14fd76

Download Submit
\Windows\SysWOW64\Qjeihl32.exe

Filesize
85KB

MD5
0ae98b6dcecb24ada19a4940dacbd54a

SHA1
f16ce08600b8ff407940fe752573286a4b286fe5

SHA256
e354dae4466d06f15d0f537fafe5828eab3e89578a600bd2484e30ebe0ca2416

SHA512
d4e70b54f523b11df0ff39c4682356f170cba9f3223b2e1504ba7b5557d570ba95c692dee6bd890d051a557d4fb5fe3d89440f5578beb87d62ca14cfa024c962

Download Submit
\Windows\SysWOW64\Qqoaefke.exe

Filesize
85KB

MD5
a670923b1c62f2a50ae6d56c3fc771f8

SHA1
403b440a8ee9dc296785c8aaebe92a2ec0ad0d5f

SHA256
e11555d2539b680122258767ad5deef8dfe4253d360f8384c6d211f955b7773b

SHA512
0860fda806421b0be505c71304750ea05b306de45949b6e4aa7497778a455332e9ee837f3a558aa811020cdb1fd6add15a99e5e241a2a60022a1f36ef9d1e78a

Download Submit
memory/608-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/608-184-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/608-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-305-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1580-304-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1600-290-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1600-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-255-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1812-251-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1812-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-104-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2280-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-314-0x0000000076E40000-0x0000000076F5F000-memory.dmp

Filesize
1.1MB

Download
memory/2280-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-315-0x0000000076D40000-0x0000000076E3A000-memory.dmp

Filesize
1000KB

Download
memory/2284-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-131-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2284-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-12-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2316-13-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2316-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-27-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2436-28-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2436-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-283-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2492-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-245-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2492-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-270-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2600-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-274-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2704-92-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2704-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-56-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2760-55-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2788-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-78-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2792-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-42-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2792-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-211-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2832-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-149-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2892-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-70-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2984-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads