berbew | 6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Size

64KB
MD5

d1b615800a43585a4770a1559ca51db0
SHA1

565f196216326809d375e1e3de6d844cd4ff14a0
SHA256

6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4
SHA512

f1a39e3b21f0879bb44120d9cf4da7cd572251ccaf47f38502bcfd764844ccda28f67b626d549a29a46ae32bac488384760f2ea2223c31968f8bc4e7eb2516e1
SSDEEP

768:zoJcPExRa7AOK6rfR79ZwC5BI3A9dVbrjJSFNIpMm9mvH2p/1H5geXdnh0Usb0D9:zCRLapKq59CC5BIkVbpS7v2LmcrDWBy

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4648	Pcncpbmd.exe
4932	Pjhlml32.exe
2424	Pmfhig32.exe
396	Pdmpje32.exe
4888	Pfolbmje.exe
2672	Pnfdcjkg.exe
2676	Pdpmpdbd.exe
1344	Pfaigm32.exe
2740	Qnhahj32.exe
4544	Qdbiedpa.exe
1980	Qgqeappe.exe
2816	Qnjnnj32.exe
3328	Qqijje32.exe
220	Qgcbgo32.exe
544	Ageolo32.exe
3468	Anogiicl.exe
5084	Aeiofcji.exe
3832	Agglboim.exe
1340	Anadoi32.exe
3996	Aeklkchg.exe
3524	Ajhddjfn.exe
2872	Aabmqd32.exe
3004	Aglemn32.exe
3636	Aepefb32.exe
3112	Agoabn32.exe
2996	Bnhjohkb.exe
1696	Bganhm32.exe
4168	Bnkgeg32.exe
4788	Beeoaapl.exe
444	Bjagjhnc.exe
1188	Bmpcfdmg.exe
888	Beglgani.exe
3372	Bgehcmmm.exe
3404	Bjddphlq.exe
3128	Bnpppgdj.exe
2900	Bclhhnca.exe
1140	Bfkedibe.exe
3944	Bmemac32.exe
3688	Bapiabak.exe
1780	Cjinkg32.exe
2936	Cenahpha.exe
3992	Cfpnph32.exe
2400	Cmiflbel.exe
4456	Chokikeb.exe
3968	Cjmgfgdf.exe
2772	Ceckcp32.exe
684	Chagok32.exe
5064	Cnkplejl.exe
1040	Ceehho32.exe
1336	Cffdpghg.exe
2556	Cnnlaehj.exe
5024	Cegdnopg.exe
1252	Dhfajjoj.exe
5036	Dopigd32.exe
3552	Danecp32.exe
4564	Ddmaok32.exe
3136	Dfknkg32.exe
64	Dmefhako.exe
2584	Daqbip32.exe
3896	Ddonekbl.exe
1884	Dfnjafap.exe
2528	Dmgbnq32.exe
3948	Deokon32.exe
4380	Dhmgki32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	872	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4648	2432	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe	82
PID 2432 wrote to memory of 4648	2432	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe	82
PID 2432 wrote to memory of 4648	2432	6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe	82
PID 4648 wrote to memory of 4932	4648	Pcncpbmd.exe	83
PID 4648 wrote to memory of 4932	4648	Pcncpbmd.exe	83
PID 4648 wrote to memory of 4932	4648	Pcncpbmd.exe	83
PID 4932 wrote to memory of 2424	4932	Pjhlml32.exe	84
PID 4932 wrote to memory of 2424	4932	Pjhlml32.exe	84
PID 4932 wrote to memory of 2424	4932	Pjhlml32.exe	84
PID 2424 wrote to memory of 396	2424	Pmfhig32.exe	85
PID 2424 wrote to memory of 396	2424	Pmfhig32.exe	85
PID 2424 wrote to memory of 396	2424	Pmfhig32.exe	85
PID 396 wrote to memory of 4888	396	Pdmpje32.exe	86
PID 396 wrote to memory of 4888	396	Pdmpje32.exe	86
PID 396 wrote to memory of 4888	396	Pdmpje32.exe	86
PID 4888 wrote to memory of 2672	4888	Pfolbmje.exe	87
PID 4888 wrote to memory of 2672	4888	Pfolbmje.exe	87
PID 4888 wrote to memory of 2672	4888	Pfolbmje.exe	87
PID 2672 wrote to memory of 2676	2672	Pnfdcjkg.exe	88
PID 2672 wrote to memory of 2676	2672	Pnfdcjkg.exe	88
PID 2672 wrote to memory of 2676	2672	Pnfdcjkg.exe	88
PID 2676 wrote to memory of 1344	2676	Pdpmpdbd.exe	89
PID 2676 wrote to memory of 1344	2676	Pdpmpdbd.exe	89
PID 2676 wrote to memory of 1344	2676	Pdpmpdbd.exe	89
PID 1344 wrote to memory of 2740	1344	Pfaigm32.exe	90
PID 1344 wrote to memory of 2740	1344	Pfaigm32.exe	90
PID 1344 wrote to memory of 2740	1344	Pfaigm32.exe	90
PID 2740 wrote to memory of 4544	2740	Qnhahj32.exe	91
PID 2740 wrote to memory of 4544	2740	Qnhahj32.exe	91
PID 2740 wrote to memory of 4544	2740	Qnhahj32.exe	91
PID 4544 wrote to memory of 1980	4544	Qdbiedpa.exe	92
PID 4544 wrote to memory of 1980	4544	Qdbiedpa.exe	92
PID 4544 wrote to memory of 1980	4544	Qdbiedpa.exe	92
PID 1980 wrote to memory of 2816	1980	Qgqeappe.exe	93
PID 1980 wrote to memory of 2816	1980	Qgqeappe.exe	93
PID 1980 wrote to memory of 2816	1980	Qgqeappe.exe	93
PID 2816 wrote to memory of 3328	2816	Qnjnnj32.exe	94
PID 2816 wrote to memory of 3328	2816	Qnjnnj32.exe	94
PID 2816 wrote to memory of 3328	2816	Qnjnnj32.exe	94
PID 3328 wrote to memory of 220	3328	Qqijje32.exe	95
PID 3328 wrote to memory of 220	3328	Qqijje32.exe	95
PID 3328 wrote to memory of 220	3328	Qqijje32.exe	95
PID 220 wrote to memory of 544	220	Qgcbgo32.exe	96
PID 220 wrote to memory of 544	220	Qgcbgo32.exe	96
PID 220 wrote to memory of 544	220	Qgcbgo32.exe	96
PID 544 wrote to memory of 3468	544	Ageolo32.exe	97
PID 544 wrote to memory of 3468	544	Ageolo32.exe	97
PID 544 wrote to memory of 3468	544	Ageolo32.exe	97
PID 3468 wrote to memory of 5084	3468	Anogiicl.exe	98
PID 3468 wrote to memory of 5084	3468	Anogiicl.exe	98
PID 3468 wrote to memory of 5084	3468	Anogiicl.exe	98
PID 5084 wrote to memory of 3832	5084	Aeiofcji.exe	99
PID 5084 wrote to memory of 3832	5084	Aeiofcji.exe	99
PID 5084 wrote to memory of 3832	5084	Aeiofcji.exe	99
PID 3832 wrote to memory of 1340	3832	Agglboim.exe	100
PID 3832 wrote to memory of 1340	3832	Agglboim.exe	100
PID 3832 wrote to memory of 1340	3832	Agglboim.exe	100
PID 1340 wrote to memory of 3996	1340	Anadoi32.exe	101
PID 1340 wrote to memory of 3996	1340	Anadoi32.exe	101
PID 1340 wrote to memory of 3996	1340	Anadoi32.exe	101
PID 3996 wrote to memory of 3524	3996	Aeklkchg.exe	102
PID 3996 wrote to memory of 3524	3996	Aeklkchg.exe	102
PID 3996 wrote to memory of 3524	3996	Aeklkchg.exe	102
PID 3524 wrote to memory of 2872	3524	Ajhddjfn.exe	103

C:\Users\Admin\AppData\Local\Temp\6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe
"C:\Users\Admin\AppData\Local\Temp\6ba1dde204d337df117fbc02fa9c570d7e53e827fe104d77354f2f68c3eca6b4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\Pjhlml32.exe
    C:\Windows\system32\Pjhlml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\Pmfhig32.exe
      C:\Windows\system32\Pmfhig32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        69⤵
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 404
        72⤵
        Program crash
        
        PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 872 -ip 872
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
64KB

MD5
687effa1aa968194262a654da01fdb0e

SHA1
52767b2fe1ff5e29e03ae0652c5ed3fb8e26a44a

SHA256
1ce47abfa6ed15750ff5b7879619d1e06d852ca0d9db4c838bf45e5251d1861b

SHA512
362b3adfbf6a626acfc1a2625f76ff89385c4478a935447462706186eeff701864f6b29a1411624d2a43967963ea5758c3940ceb577ea402790d1e934425e208

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
64KB

MD5
85111c6165c2c7047c55b988bd503c04

SHA1
81c77cc63c904404a85c59d2867d16a9e9abac7b

SHA256
c18461c53eaf607efe7906f87aeb84b68ef0eae41fddaa1063a212dd068beacf

SHA512
69a577a24ea4d45b52567e87bede324e14bd39fc2725859b1b29a6faea96644117903005e53fd6afee5b476af55721ba237b1e3c6ef0b044bfec68ae9b000dc9

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
64KB

MD5
e0295489a665e7e49e61ec8b532efccf

SHA1
0dddc336b20f28bbdc296eaf975a1f22ed300c9d

SHA256
e6f154f685da681e373c5fd7c3d80001ee43f7308cbbb7b56fd4d456b01671bb

SHA512
465d77838e8d2e882136ab4ebb993689cf1a04f7a6a8f12a2d4855b1625ce8d2b142d16705c5280e6ebe7b6b0bd44b7e1cafb0e94b282ebb143b118e510a735c

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
64KB

MD5
fde5832f5af767608b18e983ed60422b

SHA1
fe91a1fc85fcd996cf8c23e983a860dbdeaa3279

SHA256
994d88ef8c6034d1450ea7fec082ee901f8b82ad605bcabbbe33e056bb8f1b57

SHA512
469453b056ac090ef4c638f2df8ec8d14405033c6f65774c9be91cfb6bc25ade8a177b59c2c7666118110a40b2c9cb3ecb9bde9470ad82a59fb5c9227085bf71

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
64KB

MD5
26abbd2cecf64240e7ed24511ca85f3f

SHA1
ec40e19564e61e0356c5ffb484e8f2990f821463

SHA256
51376869b09c187bc2e30c447bccae54f80f7ad69da492bf83b08c4a71851294

SHA512
8bdb27185e9ee54edf41504aa0f984add35bd8c143c5b96509be795567df2254536121f5ecadf644ee087bcd8684ea606fdb312abaffeb1fa3bd79990d7a7239

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
64KB

MD5
648eb0cc82e38877d4e26ec4c867b4a7

SHA1
d8c252230c496afc5cc2bf7c41794bba4b382bd7

SHA256
b0eb84b38f4b914e4c37f23c38374563c7240e4365fcd3ae2b93c0752f3c3ebc

SHA512
320fb78abb5d27c94fe18c9d7ea76c445133c204eee34f325fe1aabfc7700746a0ffb302afde8931e4d5635a6527c6d3881c45628ceebc7050072fde9688b814

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
64KB

MD5
b5033f9598be482d0a1e3263e88eac6c

SHA1
9b1a1a9b24e9aad5c2c4eec70a18a4cf0b3dd6c3

SHA256
f58b1307e44f2ec81016caab0beeaa2c6569365a5fc802d516733a2b4b2ec79a

SHA512
5adc0d5155d31c42cc34254827b786fb17c5a6639ccf28d7ed62a5cd3611078aa43a237144bebf1ccabed0e2ccb32528cdc4f84eab8accf7561961764b2f665b

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
64KB

MD5
c8517cc14f57c234da5fdd0c4b54a1fc

SHA1
0d49ca9e5df4c50015fe11d9e8a1af2f70b077a9

SHA256
ce3f1a18575bfda436e33cfea936982c10f654902f61419e322750f642cd9169

SHA512
e985047a05948ae787ee2f6d769a235211f861cf316707e2323783f9f121c513d0f7536649ba68e3fb8aabd04835d075c9295ed6bb40ce975d30c4b11ddb789b

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
64KB

MD5
8089f84a744a2c20fc6e0652e57c9dda

SHA1
11387bf0bc817fa519d549a84c46709b16746b9d

SHA256
8b0d697e432d150c9bdeeae00f227922b72f0af15bcb330b26c1bc44580be999

SHA512
059b7afa435acb0162095a163bdbc267af555b1b5cb9866a595017f091e1d0859870de6da26a17a79c948c3c5e4efd2ed73215665e20a66444dd9aae0342a879

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
64KB

MD5
551b1c7b2d363a1f8c984ce5b8d06641

SHA1
59eb8a48ec757bcf835dd5e92d8084c6a7e2163f

SHA256
09b07c4e84626d494cd0de9baf287888a1a3b8253d443c131fb559c1c79f0758

SHA512
3e1741aef405be332446eed4b535911b0962f6c43c8df25efaf3c14951d87e71ae33fe959437b2ddc443ad9f82105a7d3d019f078540138bcaa7cd57b989248c

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
64KB

MD5
ceb8df83c0075c64f01a05b16487a9c4

SHA1
c6143d505d53e55c93a575904c7cd2cced883246

SHA256
a687cb8cde4156b8accb947c67db476288548481674801cabb6757f0d3c4864c

SHA512
fb9783b90ba30045c5df86e895b68239d0912d1632061cd0df2bda8b45370344b4676a53c364813685caf40359459ceb265c97bd63bd634a8d50ce03e0eb0579

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
64KB

MD5
e6498070640c47f42d5fde2ee3a90540

SHA1
e07fc4b254815506d729745ea919869720a3a02a

SHA256
d07a92151d9416fb6ae87b4c567586712fb786fd1a7080ac9322fe09c3bbfe6c

SHA512
c4e482d3af1936197d3d77f8927eb5bae5c28123172e05529607bee945c7399d03cd7ce43ed9216eab4f5927289c13feb1f5d3f9a886554e556c26f5259d7772

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
64KB

MD5
d8022fb989393718cd817472b83a451b

SHA1
fcb7447c3001ed3b29d94642957bfa1048b9f61d

SHA256
9ab7df9cd5d318b6ed395e7236792376c0cc0c2a9392b31e02805b053c977ea3

SHA512
5092bc73d21bd14db8b6307eb7e42318c7aaa13612759ca6448ea59e11e06aac39a27893b96b948b0d0f6ad699682d6b2fdebc628331211518723193dea77cf0

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
64KB

MD5
915160e395a4f4bd6069d128955769d9

SHA1
e20309d750ac36af63e694a6ead25cf0c014a30c

SHA256
13e9bc277f90f1431c7e3adf9954bff073b720fc6896727d5499078c65194627

SHA512
33dfb34f9a1035eb39bfe26e077ea985c6b1f7fb18ee37ede491d0eae01617e08a1dd9951efa31fe05f3c7dacb0eae553f79d2e5885b2fbed45edad23822137f

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
670da433f36bd355211b3ad06bb8f3ed

SHA1
4616687e8afa9a0c757d88f65fb4c4cbf226db68

SHA256
26b5cbf0127263ce0a28f999dd43d143d1b78b3ba38c4e52032b462abe8ec889

SHA512
ce750b5a537016f756e25730bfd499f7327ac8cfa91d87069c089b30cc666f3a2ab42747b576af15c50a0d72c68ae539337cea90d0b453fc4a371ced5640c051

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
10873be8427a6db7a67b2b76f565e695

SHA1
bb91b3f67a58da4a0e8816ce04b76d9958125854

SHA256
f09a7376e74570a860fa58b75316111c2036415cfd559a33ced580add8360719

SHA512
ad5f92ce612c7ca5f66eea82bf93d8ecb794451eb8527c255931df8ef1d910f43f9d1fbb15033708b62509c5b437a3bcdcb9c5f6266563affed23b26270af512

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
64KB

MD5
2351a33cc3b8ea411f6ace03b357fc45

SHA1
2d15b1e6fec2fea1d692b496c4ebde0b9a2506a4

SHA256
ce5195fe05dafe20a6d8ca0de1c3edb51df3d143f35714fee3425dced9623f9c

SHA512
b795e6f94d302cf8f8b454ac241b25cc4f1bc51c9f64f1283e687f2b46657bd5c4068d63ba30e4ea77c0428a1b1099bc085a31e6c188ad978da23f3e8d25f3a8

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
64KB

MD5
54ea7f36a5107396d40342a9ee019df0

SHA1
3436d9cb3ab3f865ded219140290807238a3f68c

SHA256
170d080512850c4ddedb94347f4a15209e40896b9776bea28e7ba54323910ae6

SHA512
da54bcaa48c2876149a9c3ed2592452221d0eef9be457142cca4ba4f26b1fac8c907a9ec3da2e0cc69cb32d9f1c49a320975fb7c593f6d8a24b96e00abff287c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
ee8a1b94873cc3949052832d013932a6

SHA1
17d2ce272401f65c6c027658b6f3e14051560980

SHA256
637cbf6d2cfdd2a826c1b00c39bbc9e4c7954040cfbfc1fba3b6147aefca02d5

SHA512
c3b61b972798a3a407134c4165b0e512d1060b33a0e52ed68778000bdc11409e768abf3678a142de045381482cefef75c7bc4ba4bb25fd9442320fb5208ed1dc

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
a60facb610c4caf5b897b6d84bbd7da7

SHA1
c8b82e143dc0eaed1621d3f712c043f64a7f31c3

SHA256
cef4d8e3d4e1a21b2b1e3ced104707997d2ebc670b9e18219a46e75a7567b29c

SHA512
c7da90370abfb0687408341cad41afe0c4a3984a6e4d1b09582e4d0a1b35d8473e0892d9974cf4a5ae334da523cfeb97dccb59fed0cc9333233104955d3773c6

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
4e191f4dbc039cddf68719392e1f4e21

SHA1
38f3ef44fd0bb701d0672a28d2e7e966b09c92a5

SHA256
24e04b767085a9e6d3a2f3dcd6a884cfc41d48643cd427c25935383e27bed80b

SHA512
5d5a3ca96d12b2f5dd1e862ff50aaf70dad22f91ea8addd2471720a023624b8e55e25565b9263aa3cd9898f9dd52c514740d86cfef6c5ba9d7358125dca8b2a4

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
60b00726a1ff593d646f7ccad9ec5c66

SHA1
abe9c6e8e5a0d6ba04469b7c5288a90eed00c483

SHA256
e3ef3a3edeb2acb59e4146218fb43111075b243d71d7b72fb55bca8b973cc335

SHA512
0915deef1f5edcc95f9a2fbdf631ba7089af9bd18b9dac6f2cffabca1fe6ad54f6cdb33af8efd59713cc8b90a32f5e4a116ce82c806f080990a45cc1ea2e8f99

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
ceae6d8a22381f2eb70ef4313bcdb49c

SHA1
f74d83f8efb8091ff95204105a67782c3ac6ec9e

SHA256
eb0f76b10c9dfce7ebd136658304a424197285af6b071615fa6e810c475f5fe6

SHA512
eed8063341b19f49d94034eb8d89b718d8bdfaa6ba4f9f0e6ad87abc8095ec42e05ef18588b43b856d55cc3ecbedbb468e961b14651c2bed80437843c4af9515

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
cc93edc2eb5f17e6aafcd38435bb631e

SHA1
5c0be60c4d5d1dc67d6e75ab23401054db304e98

SHA256
bdb11ef72705e1f0fb52eb59fcb0d966c0b2415235ae4b6a72818b601da4d4cd

SHA512
aeb85e20324ff1d5f744ebb0990f90dab4d6b3accb3ba01aacd1b5efc886d3be25b7c7bd223d4457d41c99cc09077b4d7a7af0a2fa805bc2d46e980610d15b73

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
64KB

MD5
a7e92283f9940bce270bf2a87c4ccaf9

SHA1
72f3faeac11b50d9fa25879520ce3c26c68e54ac

SHA256
1b39cee53f96ecabc8e59333f56731c9bf8711d9bc269568fdd9e93f8b824e6e

SHA512
22c8adcb3bd2b3a66aa2154ea4941539698fa60bfb9fabab4e005523606c687dc6e58208c860d81dc141e5361070f1ec3c5421103bf9b765e3999ac8d6448e57

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
64KB

MD5
50bb3e9cb0a5ecd7622425078703b455

SHA1
14c3f7d2cd1b64c74a770595682880a145f73a25

SHA256
b2ead92656295c462b58a43a05be08d9cc79dbb0ab7062b1fa4cff3f3fc04836

SHA512
89988f9d9933f9fb433f2dc3965d83112d7aa1af67fe0e0792f7c1cc63a5b686f7565830acd248246ed3443afa8f379e0fafb431c6833cf2df151ec53c2a62ef

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
64KB

MD5
6cf0dd23ea1c46bbb381c00232b494b8

SHA1
2b8f66f35771312905f4677d4ddc844e09893989

SHA256
c10394b03f82dee3926300694d70f069565868149150de706ef905863f6dd338

SHA512
e8b8ec23bffbf478b94dae39950d826f65629304098c46c7b2233343bad375880aedd9bc79f624df0d628d5a80982795e503b34132978e0903c83ee5e277a18a

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
64KB

MD5
29534f645ce6dc80a03253e973c8f5fa

SHA1
21e05c2f4e03751003ff23a730575e48a076e01c

SHA256
a588eaef0910378d3a54e8d682c05c255ed55087cb10fa2f353ca7bfcbd355bc

SHA512
0ee364217c5d241b4c812606b97009fd1b6f33e68e611459decca858acd564fb6d213200deda05fcfda4abef0fbf523fc4a67bafcd62cb7e4363d6627aff7730

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
64KB

MD5
5da4f48777a7b9a5ad3c84bdc8ecfe93

SHA1
1dcd29aa6fa1656fb91040257c74ae89b5ef8c11

SHA256
0eb0b73aafa6f0c705f5b185aa86533d207db4d6a841319b92802822d12d3126

SHA512
5f613f10dd4d0a038c8480575bf4adc60d5c5a81a51b7b36358cac918023396cd0290b4bbe609706997c6147a8fb1cd9d36761034e982222599e2cb5f86f65ab

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
64KB

MD5
266697879b926e0096475c14f547e3d2

SHA1
9cf816c791ce7577ddc45c63257b023759760a80

SHA256
ec4a03fd2d707d3361edc5aeb7aea7f3f2e508ced0548ce35ce716ee8ccf8798

SHA512
5407d630989d02877b6a8f5e8aa4ae28cf6286848b5b279dbbfef2ea15e20a95f8e61e6e18fd20da68974f16f691c634a9221f71e573db0eb03bf8e3ed06ec95

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
64KB

MD5
4e8c2269219b1b8d5cf97b2a078338ad

SHA1
8f0255b423d0288d881dcbacab7267ed055dc1b5

SHA256
cc8232163ecb28c603ff26c4f33f2d22663c9676355870812ac4fe6410ac9865

SHA512
c60e4aa4fc5b06b3924cd2d3a08ae170e87635f220d0b39ab2fbf875f3092724f2a939a1c13ccd949525df7452c008482be4222d805eb78311cfdc83bdb72348

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
64KB

MD5
b171acd6a471716f24da5770ce8558aa

SHA1
d8586908346dfae7d67822d29f38e422b120d2de

SHA256
2c5ac0af77129a70cab95d53b96c517623528b4c9a9d0fb14cdc55ba5a550502

SHA512
935fc3c4d4acb38d22dcabeeb0315981a40a915829c00b9e131c66130345ae1dd52e5c1cf92707f189b2219a57ed8f9742ebd85bf1802ed8fc16d341de7cbd40

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
64KB

MD5
a2d7d66bf7a6027565626054b513b1c0

SHA1
5492efa1e8f6a2961bb173180edcd70a713ad46e

SHA256
f411615b14473c061ec233787ea2c1438f7e9042431ec8f5b306fcff39d3df74

SHA512
9dc89c443ef11b441ab5e54a3b3d6b7c2b89231721a118a3b008a8da509010bb5612807bf499fa065046fa30c94730293e40f38f5da33a773cdd6d5450c90fa9

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
64KB

MD5
c7c65b0f1216710703ce109841c4d636

SHA1
ed79d8fd947dcb0dbf9e99c5b3c47472f6c2cb86

SHA256
3aabc01119dbe663433b4afa0be01ce77ece65f841cb6261f97394af96cfa0cf

SHA512
6d999ec9d64ecf4a1e886f3883807688081058f208eb83a4b6e3a7ca57d862393f1e1fb909f4c6f6ab48c778f2873c7f6b7eb694d753f816f48950cdeb54b75c

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
64KB

MD5
e6b6e9f46a55803cd6c887efce68159c

SHA1
2ef54d7e9036501c453a57a16fc6202e3565306e

SHA256
271b41631c223e929f82fa25b89b46a5a36e9f3419995a348f6df37402aa1207

SHA512
17e75440ff1f0ebb43e9f5f70154260931242978c96acc6bc056da656bc8660441c097075f04e266ee4bf6f2c300ec2a1d3a353c2faf0db0ebb680b7e3f3f70f

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
64KB

MD5
d8e24a986ff87a6f78bfaee31813ae59

SHA1
9f886bbeabc47afefcb2b33fa6d0afba1218fdb3

SHA256
ed9f95ec9e7604c916932dcc754eeb0987ad0ea09e4fe26767f8b80f403d4a01

SHA512
31000039910b65ccca62bc0658d62144aee4936b25fd9c0b33156188aede1dab83ffe5917567c37d81545dfcb98c54b234089444b8e51e43aec81314c12ae28c

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
64KB

MD5
9040f2929a3dc09bcdbc779384005f51

SHA1
6de5d38ca6e0cb61d658e2c3bffb16c694d01c18

SHA256
d49eb3be520979c02b473a00c4adf109d2dba4c9dd2ecd85a554a102da0aeea1

SHA512
6713ef7247a03f6ad96dcbbedc111acc7f416f8b87288b14ce7401e03cb24872e9bfb517325a38cca2679ebd98fef98ae7ed5f827288018520ca11279d58085b

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
64KB

MD5
f664955c6abf17ea224631ec2e87d317

SHA1
2318e02825256574e87863ad5777811f3d1f7fa3

SHA256
d09e6cdb39ad844303c3362c5946f34562361473a61d29069a09872cae98fdbd

SHA512
ec632320d94bf1720a834969be6bb57cbd228bab6b490c2f6c5b355eca115221beb7a09ca7190f8db1cf54712c7ca9a2e6180274464725d6b2293ef4428f3ba3

Download Submit
memory/220-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2432-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads