berbew | e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
Size

224KB
MD5

c60995b63235ccfe0f8127ecfabd3073
SHA1

8d4d2a8896b6a1cb30482a25b093c4b39bfb96fd
SHA256

e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a
SHA512

6dda0205408c29c4b8ad036e94155d0f8b7bfe16d2f8236fc39b47735e1fc133355659a50b720cd9137c27a1e1062131186d0ce29fb7a922912584b1dd87f7f0
SSDEEP

6144:G5269bk6gS9FME4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:G52ebbgW9aAD6RrI1+lDML

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
384	Ocdqjceo.exe
3632	Onjegled.exe
2284	Ogbipa32.exe
1968	Pmoahijl.exe
744	Pgefeajb.exe
912	Pnonbk32.exe
2240	Pdifoehl.exe
1680	Pggbkagp.exe
1480	Pmdkch32.exe
372	Pcncpbmd.exe
4696	Pflplnlg.exe
3400	Pqbdjfln.exe
412	Pfolbmje.exe
1000	Pmidog32.exe
1416	Pcbmka32.exe
1708	Qnhahj32.exe
772	Qmkadgpo.exe
244	Qceiaa32.exe
1080	Qgqeappe.exe
2372	Ambgef32.exe
1792	Aeiofcji.exe
388	Agglboim.exe
2200	Amddjegd.exe
1208	Aeklkchg.exe
3492	Amgapeea.exe
2856	Aglemn32.exe
5080	Aminee32.exe
2812	Agoabn32.exe
4132	Bcebhoii.exe
4252	Bnkgeg32.exe
3284	Bffkij32.exe
3360	Bcjlcn32.exe
1348	Bfhhoi32.exe
3184	Bclhhnca.exe
2724	Bnbmefbg.exe
2028	Belebq32.exe
2912	Bcoenmao.exe
4768	Cjinkg32.exe
2096	Cabfga32.exe
2392	Chmndlge.exe
3636	Cjkjpgfi.exe
364	Caebma32.exe
3140	Chokikeb.exe
4408	Cjmgfgdf.exe
116	Cagobalc.exe
4524	Cdfkolkf.exe
536	Cfdhkhjj.exe
2556	Cnkplejl.exe
2720	Cajlhqjp.exe
4192	Cdhhdlid.exe
2356	Cffdpghg.exe
3712	Cnnlaehj.exe
916	Calhnpgn.exe
1820	Cegdnopg.exe
3920	Dfiafg32.exe
4772	Danecp32.exe
3048	Dfknkg32.exe
3548	Dmefhako.exe
1452	Dfnjafap.exe
616	Daconoae.exe
4868	Ddakjkqi.exe
4064	Dkkcge32.exe
3864	Dmjocp32.exe
2152	Deagdn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bnkgeg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2452	2352	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 384	2780	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe	83
PID 2780 wrote to memory of 384	2780	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe	83
PID 2780 wrote to memory of 384	2780	e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe	83
PID 384 wrote to memory of 3632	384	Ocdqjceo.exe	84
PID 384 wrote to memory of 3632	384	Ocdqjceo.exe	84
PID 384 wrote to memory of 3632	384	Ocdqjceo.exe	84
PID 3632 wrote to memory of 2284	3632	Onjegled.exe	85
PID 3632 wrote to memory of 2284	3632	Onjegled.exe	85
PID 3632 wrote to memory of 2284	3632	Onjegled.exe	85
PID 2284 wrote to memory of 1968	2284	Ogbipa32.exe	86
PID 2284 wrote to memory of 1968	2284	Ogbipa32.exe	86
PID 2284 wrote to memory of 1968	2284	Ogbipa32.exe	86
PID 1968 wrote to memory of 744	1968	Pmoahijl.exe	87
PID 1968 wrote to memory of 744	1968	Pmoahijl.exe	87
PID 1968 wrote to memory of 744	1968	Pmoahijl.exe	87
PID 744 wrote to memory of 912	744	Pgefeajb.exe	88
PID 744 wrote to memory of 912	744	Pgefeajb.exe	88
PID 744 wrote to memory of 912	744	Pgefeajb.exe	88
PID 912 wrote to memory of 2240	912	Pnonbk32.exe	89
PID 912 wrote to memory of 2240	912	Pnonbk32.exe	89
PID 912 wrote to memory of 2240	912	Pnonbk32.exe	89
PID 2240 wrote to memory of 1680	2240	Pdifoehl.exe	90
PID 2240 wrote to memory of 1680	2240	Pdifoehl.exe	90
PID 2240 wrote to memory of 1680	2240	Pdifoehl.exe	90
PID 1680 wrote to memory of 1480	1680	Pggbkagp.exe	91
PID 1680 wrote to memory of 1480	1680	Pggbkagp.exe	91
PID 1680 wrote to memory of 1480	1680	Pggbkagp.exe	91
PID 1480 wrote to memory of 372	1480	Pmdkch32.exe	92
PID 1480 wrote to memory of 372	1480	Pmdkch32.exe	92
PID 1480 wrote to memory of 372	1480	Pmdkch32.exe	92
PID 372 wrote to memory of 4696	372	Pcncpbmd.exe	93
PID 372 wrote to memory of 4696	372	Pcncpbmd.exe	93
PID 372 wrote to memory of 4696	372	Pcncpbmd.exe	93
PID 4696 wrote to memory of 3400	4696	Pflplnlg.exe	94
PID 4696 wrote to memory of 3400	4696	Pflplnlg.exe	94
PID 4696 wrote to memory of 3400	4696	Pflplnlg.exe	94
PID 3400 wrote to memory of 412	3400	Pqbdjfln.exe	95
PID 3400 wrote to memory of 412	3400	Pqbdjfln.exe	95
PID 3400 wrote to memory of 412	3400	Pqbdjfln.exe	95
PID 412 wrote to memory of 1000	412	Pfolbmje.exe	96
PID 412 wrote to memory of 1000	412	Pfolbmje.exe	96
PID 412 wrote to memory of 1000	412	Pfolbmje.exe	96
PID 1000 wrote to memory of 1416	1000	Pmidog32.exe	97
PID 1000 wrote to memory of 1416	1000	Pmidog32.exe	97
PID 1000 wrote to memory of 1416	1000	Pmidog32.exe	97
PID 1416 wrote to memory of 1708	1416	Pcbmka32.exe	98
PID 1416 wrote to memory of 1708	1416	Pcbmka32.exe	98
PID 1416 wrote to memory of 1708	1416	Pcbmka32.exe	98
PID 1708 wrote to memory of 772	1708	Qnhahj32.exe	99
PID 1708 wrote to memory of 772	1708	Qnhahj32.exe	99
PID 1708 wrote to memory of 772	1708	Qnhahj32.exe	99
PID 772 wrote to memory of 244	772	Qmkadgpo.exe	100
PID 772 wrote to memory of 244	772	Qmkadgpo.exe	100
PID 772 wrote to memory of 244	772	Qmkadgpo.exe	100
PID 244 wrote to memory of 1080	244	Qceiaa32.exe	101
PID 244 wrote to memory of 1080	244	Qceiaa32.exe	101
PID 244 wrote to memory of 1080	244	Qceiaa32.exe	101
PID 1080 wrote to memory of 2372	1080	Qgqeappe.exe	102
PID 1080 wrote to memory of 2372	1080	Qgqeappe.exe	102
PID 1080 wrote to memory of 2372	1080	Qgqeappe.exe	102
PID 2372 wrote to memory of 1792	2372	Ambgef32.exe	103
PID 2372 wrote to memory of 1792	2372	Ambgef32.exe	103
PID 2372 wrote to memory of 1792	2372	Ambgef32.exe	103
PID 1792 wrote to memory of 388	1792	Aeiofcji.exe	104

C:\Users\Admin\AppData\Local\Temp\e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe
"C:\Users\Admin\AppData\Local\Temp\e470af6476b2a99d2369fac8bc68cb7fbd2adcdb9d22f1c2742dd6e80ff50a7a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\Ocdqjceo.exe
  C:\Windows\system32\Ocdqjceo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SysWOW64\Onjegled.exe
    C:\Windows\system32\Onjegled.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\Ogbipa32.exe
      C:\Windows\system32\Ogbipa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 416
        68⤵
        Program crash
        
        PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2352 -ip 2352
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
224KB

MD5
74028a31651707294c6cfee0df726dda

SHA1
aab6df75cbcfd79ed92c9fd99e0cb87157a78e4c

SHA256
58670f58f46f9308e12037c6db3c03546e5a4ecfc9928cb4de6709fda3ef7801

SHA512
0a7ab150a078775dc23a07c8f4a51089fe55af0c95f278f56b4cf3f7e81f00ab713409ea99ce9362968827ac2488bdd642409c07e13b0831877beab6a143e9a2

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
224KB

MD5
bcaf9e0304d616108ae5de7bd02b486a

SHA1
c0c0ca7415c25eabe817a2a78c2b065980b1b110

SHA256
12152e1fe6bd0f866e9e288d638439653d31b3cdcf82fef35bfeac8f83d86395

SHA512
380d0111060ab667f71700e95f4a87533e74ea92c9381ce33a9d9aefefd810d91c4cbedaae4b4fbab2f404367ae748783da7986100a5b9abb95964609a918c34

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
224KB

MD5
0eaaab0a759bdca7a9401a70f4bed6eb

SHA1
ab40fdb537a7e56ef03bc1025023938e52046331

SHA256
08347832764d2dc6268140336c36c63ccd20345d8ec7cc490507ee8236b7b49c

SHA512
0eb378f5fe575c7c007edf78d85fc45cbd983e3e962c062ec552ad63a6af1b95fd541ef2416cdbe67d4a5fc69ce528af46a671ad72df1f722e10c920652aca44

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
224KB

MD5
5468c9449fec8a91682f4fa8ce6865cf

SHA1
1f918ff4e9d22f9c34a54c493bd856f236d28723

SHA256
e2913daf4b0ec656b39dbd670153ae9cf252a252c2d4e34611ae080ac1d292e2

SHA512
6fec31070276789b313b908c7a886c79cff33d9710de399206c666d1dfce404df04b0325e116a8ee79a32d22f48dfa38ea758a34aab0cd797fe8d0dfff813834

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
224KB

MD5
34d86fafe729540d38c4f9abdbf3c9d1

SHA1
ad2338fe4ac10c537ee1e4b39b2000ccd91b0f01

SHA256
b58b85262cf341262902200f3ac436483a1a7bcd0ca0b19d7243ee45198058aa

SHA512
7442523b1dd50f132e255188db4f0544222bed01fa44896e6cc97ee9d3ababaa3a7d05685ce42cb9e7dbc994f54711fccdfbbfe44bc1650d12a658e137a18156

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
224KB

MD5
82ca676253dcae707b2342bf9b433518

SHA1
89af15ccc82fd13570c2b2c322672710559dc520

SHA256
202468a08f3c8140f620376feac7317c695d5ff42deaa0fb3b8e378d3a41c825

SHA512
2dcb11d705c1877619ee1c7d597a0f3c5732afe8059c3e28468b817a0d2ba8192b8a785e805b76fe4fef1242e2c23a214cffb9b583f6965f769275708fd9dd69

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
224KB

MD5
697781dcd64f7590955819a494eb7179

SHA1
068736dbb2286be187895a7ef163ec704190bbb0

SHA256
56268031ccc63f86a6c445f72e559e527350fcc579a2055d11b3ec3561a266e3

SHA512
a7514cac3ee3b00ee17cb15244d25e6df9a6e72fdbc55b1e0508ff314a40b6a009f3545f9eaa4e1bf4d3e54443da90f9207d81df01f2fa6e9010c741e901102a

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
224KB

MD5
f37b7f7d3197a8a73ee4fc7655ffffa4

SHA1
58caaffbef616c8e4acef3d8f4a3febc66a89aa0

SHA256
92098ed717542e337331de2a96a0b348210d4004baeb48e310507f6c89cd636e

SHA512
c1f1bf21f7821add514e229aff742ad4bf00f1b5cb01d591fc2a35b2ee45e15aa0f5bc5e642fc732fee34f2431f862746858d360036c2528403da0e192e9b7ae

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
224KB

MD5
3fc830116317a17b9778e92ff78d91c5

SHA1
5522e88d51d64962706394388e2156e1c404b4e2

SHA256
a2a8bf0e0dabc772c835661701202a5bd220224f1277c1e481ab70f9a3412f49

SHA512
2cd68e16806fe753e8221de22ff7267c6d6bc8ef6a8e979899fcc7694677d325570dc155597c98559a52e1b4479763de387ef244a580a591499a57dc723c96ed

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
224KB

MD5
a99b5769dc0679946d4b3f456abf096a

SHA1
26c647d6f745870b1a1675a4d2dfa633e24e039e

SHA256
ed29e49db8ef68af7b447c5e7f2da2f9dd1d8641a1365d58c01b7fe54c980c09

SHA512
4c73cb2c9444a1eb36a9e9e829d65ad574a09a29fe8938f1f484be246869b5fd25532dfed7aa7acef85fde75d826dc42e312a8e0703efb654b14aa18973a270b

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
224KB

MD5
0cedb37199bb4acdc4b879c40c5b157f

SHA1
dfe721683947d3719f757062e3104c0960487495

SHA256
40cacafc77ba4ab4199041060bc28485e389879509bf1766fb6e3aeb5df9fd3a

SHA512
508980150de1ec6011e699b663a19840b88a232eb8345ba171e2ffa1c1b2353764fe60d8300fe891e49ba5c9e7f76c9c1f42854bb2d05e997cfd46b64f261873

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
224KB

MD5
d6f22183475efe39fdce5cb4cc809efa

SHA1
bee2a44ed38521700bcae7977782204cc649aa60

SHA256
8655914af2c8b8dd599264745987f4fefa55a82caf795e654346babbd5e5cfdd

SHA512
24daeabe96a887e4c5a763c5a10820cedb7e23d8cdbd2b745b31d48df7fb9fc14e126bfb5400b1aa1dcbe89ff6cfd422cb1598e35ba8895d241021541594adda

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
224KB

MD5
4be137aa3d43929834b31649bb21b9aa

SHA1
0804b3840ccc8d8a7e1b8dbef299b411da94afcc

SHA256
df9c6e2d88491c8c6d4e317ea74ce3d19c2215e24dc66524d8901c2fdd745313

SHA512
8a09ae7aed7fe2bf12bcb1634f181276cdea6c2321986958711f858dd121aa116ab3ef0f19cb79b52271e3dce98a4423e998b104e8580d837557d28a0e2f178a

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
224KB

MD5
ed86384168fab8b0daeafb8285803359

SHA1
a4d05870db256afcacce11f7d38532d12432dad1

SHA256
0db5b72cc4d2bf0c0b4d91fc6497a23a85f280da4f09b0b69566c690175e3322

SHA512
7e608f5ceaf95fe0378b7016ee2da83c9287efa9a6d4f173116a0d5b2fd8a3c149838004bc8eef4930f6b74e34e082d41a81d057928ecfb414b783c42b1ae4d9

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
224KB

MD5
af48bb4ad442f97025fb52138d98b6cd

SHA1
7920aadcf3825f315d60ffd30dbd785acdf31a80

SHA256
cd9430db04aaa4edbd82b616911aeed661092a0bc37bcdfa23dc0a6f03f4e9ae

SHA512
a0fa7a7d4744a9ee670b48f9e36debf4979943bfd5acb4a397f394d6b9f9e76218ed78bad330263ee57e39ea82483f96228868c19a63aa840ecbd5292a4fe00b

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
224KB

MD5
dfeeb9012d4c8a2d3fc8b3c9081cec3e

SHA1
5f7e883bff8196742fb43d6f8a073c9e4b667942

SHA256
5ebc657ee651a408e71461306151d13e49b426e93aee69cf752984fee93c2668

SHA512
2ac693633d8901e727b7505c6018cc6c81afa77611215e28ebc541ca4ab3ed63f12f04a045e9cf5104b04387a23dcbcb702e51dbdb974aa20b9bda968b4cb83a

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
224KB

MD5
971907a1e6a8373e1cb8e745c1bc088d

SHA1
9475f3c998a5049504005622fa0726d49e5caf2b

SHA256
8a4e65549c13d36ccba87d490fc6a334c2c5b02ea6c114082a7472396c280986

SHA512
125136e63e58c3d701e9340eba806ca89871a394e428501e76e43294030f347eff4ea92de6596185376aafd04ac86a2e55dd37d53f5b475399b7c46a0c1820eb

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
224KB

MD5
07f4cd20681fa4f482565741a47e2390

SHA1
0692426f8a5aa3668b160916f78e4fe2830ec342

SHA256
fccb2388f1755331401645296696e7576a29c77b214e1a7f728e9510029a2027

SHA512
16cd05445fd48fd85e4c85de8731c03183a48f964838b33b49e934ac72d7ebe9967124b9f72b712c1b3bb464dc36fc1dd2702cb64a6dd93e186caddef9ef0ecd

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
224KB

MD5
ef8245645c46f250bb7734869770303f

SHA1
1790975c96c8e361221eefd31dd93c444630bac0

SHA256
18db872a3d8a6b66783987f5c131a929be53524f75168edeb431e0d6af9d23ac

SHA512
066df281bf6de47280c5310ae4d0afd0181140eceb14a83a4b79e9d83beb0d7e704d7f38f87ed64fd26a3bfc6757f49e541293347eae17a6cb2eb72423725c20

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
224KB

MD5
5faf3e86a3101628a3186c76a70d1094

SHA1
ddfa5683fa9b2aa6e8d51504b0b34d5fc6488d0e

SHA256
a128c3b54d4c4508ca66670e164fa95ac4821d403dd7c359416c6cd1d9b4690f

SHA512
f9178e5697a0145f1192f688fde790218e38af37ced0c264e110835547cee42a222fa302a16b1a17770e9d5fb83500894a1918da5207f21afe9b793861c280a2

Download Submit
C:\Windows\SysWOW64\Ejfenk32.dll

Filesize
7KB

MD5
d6122412bbee99bbf121d3965d9222aa

SHA1
88ae0ff0567892e08311f9385f25ba60203da7aa

SHA256
a96396992d8156f32d403961e08707f668288662a5aa12e281f45b7b80daff9a

SHA512
b83a38cf1b4570e60d9815aa046072ed287b0a987f5c90cafa285be51e9bbc2341a990ae9a95501b761c8e110e1c3cfd6232b3bc5dd2d4e80631c8c56e05b159

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
224KB

MD5
6b64346c1ab6f8fc2e91ab5014c4581f

SHA1
12332d7e3f01b69f9ef0ea022b24b91beaf18f39

SHA256
11646a843f5ea5f344715e76bd83370b75ec14cd7be71622ab02eb2f5701a67e

SHA512
3bacdb7b9aa27196dd58d3e6737f6ce2f222f6659e8cc3044fb3cf040ce5ad92537ca3febfebc588cb8e26b129cb0f2f036f068b2846f817e7ed27572b5924f2

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
224KB

MD5
e82e2533939e2e90a9432cdad2ec9527

SHA1
a750f325546a56fb6ad801914f2ace22976614d2

SHA256
6de08b25841d68d46862daeacd1c54e4504afff77c285b84be39c6ff322491a8

SHA512
87f56a730f02df60f5082cde401222e0b85714baf7cd6500ddbd6407b6dfd6fc9a8f8a9b2337d043e631e47f35c9cc833e4302cd5c8d5e65f4ededaf9e48bc90

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
224KB

MD5
26b0c1e1afcff21e9467bcfd485ec88c

SHA1
dbe647605477bd24fb7790824cb1f2c431413aa9

SHA256
8c9af14c249d63be96ddf320c3a4b09ca828a2de14fcbeddd3a318782ec71bde

SHA512
4553d6966196da853d44f21686b557d7069b679b3bb2ac4d047db7769a3da649dea74b6650068541df119e3f4318c426c17dfd94f200ba65d5bfe238b6b7c837

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
224KB

MD5
713a1081605ff73bb135f3575ac2f666

SHA1
a12424aa3393b18d78e226c84ecc54293e8b2fa5

SHA256
277fbd77271c108ff97b58e68e10add13c899d280fec7e922937a05d9ec9206f

SHA512
d46abd3a01276b18a6e55373da4cff66952b2817df14a741c34fe4b418a4dc4a3a520f4fded9b02823ae4bdd1a9b0d3ee3ba11162805f8546b1aedd23198bb50

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
224KB

MD5
53c99d19c8eaeb915a6c4d33ed1ce591

SHA1
44453c6eea2eeba0f5fe5d506b4297b850a7220b

SHA256
599447c13824b702f8aa1f60001ae949f17eccdb83f0fe8a76911979a927eb0a

SHA512
ddcd452503dd29347f86f93e1f4b900e805de0de60f714a74ac3ccb5b5178ff0cc2d41d5fe97d3da24b9f16e1c9c1014bbbe8eb4a580c46097e74c45ce5a28e1

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
224KB

MD5
86c2af06f7f1593cfa9d27e87be678bb

SHA1
2a16917b363d31f69de2534ba1d47eb22e8cf8e9

SHA256
c347d6a98e73662970af0ab8a99ed3a98b4e3e05c07da67211da4df8bfc324de

SHA512
254edbe430f303acc66868a5d5d14b9922a67aca6b217d590e3c47b4eec8717c64437a451212b737552a30c9e8b2b20886bca5124bc44d9d8b4453068a2fb76f

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
224KB

MD5
c18e726506abdc77e3c456edf26eceb8

SHA1
50d2edf8d12e020362080c35989ac5f38275268a

SHA256
08a6234493599094498469f784a20082159364a63706bc8161b9e795f3de211c

SHA512
7efa70095a819ba6df5f0d4345503b852297143f9a29849f072aedd9024fb5a292740109a11471c1df645e4c38715fe323a6a2c580784171d572fda6ce08d238

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
224KB

MD5
4413e3ccef800dc45f7b4aef1ae0d602

SHA1
8838344d7a443c02b15958f679e188bcdff25586

SHA256
8633cc5f45fc5e32b12746c557097d683b6911a9a9a559517e75d8b93736a54a

SHA512
101f70a7f96971b3d8b18f19d1499521c4d4dc9b85b0d5281dd9886071ad236a988129c0d9a1e769e42cfbe04a21b455cdcdc6e39e49260b84f6354db80294a5

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
224KB

MD5
9e3188655ffc7293473723fee3ff8bd9

SHA1
fd632b08826844a5c88adc36336074de26e1a6a4

SHA256
c0be1b47860fb3a821fed78dddce03ba7f4f21d065d9c9d3cc05c1356f4b1f4f

SHA512
4d676356801eab5b205ccc80f12343867891bbf052aad8b901126b6acf9985d1d69a082a288a850bd43312b3005af7c5c45f36362c43796565247bcc340cfd01

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
224KB

MD5
1b254eb59d64def0535944d374e066ed

SHA1
dbc633bab17f366516b876f670f31de9852a44b5

SHA256
4019306c56937b35a089a548b5cf9572742bb131ab95cdc16e670c62329ba23c

SHA512
b6f53815969478abdf200a9a6c1cf7a25b483f8c967d015988296512fbc310017850dee84c6bc2c1aec08f327caf284faeaf6f2419f2f765363baf93c5109766

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
224KB

MD5
425811a2b80c85748ff81c50f0a46a41

SHA1
569cd42176bf1ad230d6ae9fb4e9d12548b3a265

SHA256
e8d38e33e2c8a59ed0e7f30c7626914d316513bbb24cdcb90eecf03c96bd6d0d

SHA512
c3340abf787cbe311a25ccb549a4c8dfb2fc7baf16c2a95c71bd1afb1a7c176c752538cca9c18fdac967e9473825f29c3d538e28deee4dfbc2e642df85139c0d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
224KB

MD5
5d3675381183a6a0461f976c2b67193f

SHA1
ddca5fbce193c5497911b4d1f70623bbacba095c

SHA256
2f04c4c97fcb5bb4564b01b2ad9d92806d39d4318942e88041a7d93835ce048a

SHA512
d98b50832e3f933746eeccfea24b31619092791e3c168880a02723d556339488f1398b9aff3cd9c411bbefa03f186033f72e5c3b656aacaf794f99c954cd34c4

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
224KB

MD5
4d17e241ae17fafc58452298d0a36aeb

SHA1
563dc5df930efdaae132bcd1e3134b418762076b

SHA256
50d45eb431deecfe04a2aee402a400c466f698e177c71aa6a5446c36162a0ded

SHA512
dac7d8c86d40a7936335b77990b00f2bb448cc937b559a88b03eb5a6c3159583d53039c452399d7893675f4239f4439180e6bd793c27b736e97c1e2aeac1e5d9

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
224KB

MD5
ff311b9e04cef7f2e6c1468c16e54364

SHA1
a34d262fb56adc5b6e640169d1784e60d3963eb0

SHA256
40ffbd1fa0dc8b6f0176c98bf3526aba12255f0ee8243dca358d7b6035bfc56b

SHA512
4dfde438f247cd6b4f09d5c51c4da5b4c3e0908bf42561deb7e46e87e5d0d4a3b5af47c2590adad165526975101ea74be621ac780656b5956f203a9e8aef13b2

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
224KB

MD5
40eb97f259a1e5b6b08d83d9de000f3c

SHA1
3f1ebdd3830e0526d9c88b7ae3a7cb87b313bc8f

SHA256
fac05658bccb5612c383b2e344ef51eaa1274c28b1eca2ff11f5dd1758b3e769

SHA512
d1dab5cd3d3a577e27a9f5df5800fdd07cd44404366091463d29666c5383a60d495a3fbc62fa9a544dfea28f43cf52591d39981c2cc0668e2c00078812bbacde

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
224KB

MD5
cf682ad04326b73e3f66248f053fb934

SHA1
c404b0a08c60ffddada9129765fcc2009e34da7a

SHA256
e89d242b2b2255d29b23ca846b4228816ef997c23f9b3bb6d771150c4c2a0869

SHA512
56cd79c4244b8ff8303bad615e516e57efbdd871d695315096b74dbe3e44f4e629d4a9e549b61d9f5e0b5c84c4cc5032a111bc7e4b09666763bb5e08f42fb957

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
224KB

MD5
239515cae31d95cf871f485c73932d75

SHA1
b448ba8e76d0911799be7108f63d019d942f04af

SHA256
20e0afdfddcadde751a12849131f13762d2f098ccdd4006cc8bd2196ce4f9867

SHA512
b78e9571eb687ff5845adbe61018c35a4804f059176c45608d5ae7fddf46ec65aab6c46688e805e6852a5887977041daaf8ac4b9f6be767b784f07d8e3db7afa

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
224KB

MD5
af35e7ff1af6b654a2116ff0706c25fa

SHA1
0910fe540255ff37e930435fde435f419677e778

SHA256
c789a946e8b796488927cb5f86b974fd217867e8ed623ef41b398b67aae79840

SHA512
366a0f3376b9945522c224483b8fdb2b04bd42648e61ce29185a935ceb7f9a8e8b77712e727da52776b181a5fbfbb427381bbdeec95ac8cb9d56e7ecb69760cc

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
224KB

MD5
33f54fd91d312fa102e74d8046374efb

SHA1
821a8560524cdb943bcb04a7f45ea71972447ae8

SHA256
64593b03246ceb53687e339e5ddd79d30bcab5b091241e2f87bf8001b5c428e7

SHA512
0a26dfa3efb2127b53ae80cdb1abf11cfd8c9fc02a16ee11fdecea0c866e232b6f22d3e3fa6847b3b2efe86617cebbd1e9afc7ae052a661d190fd37d8e5d8fcf

Download Submit
memory/116-482-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/116-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/244-149-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/364-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/364-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/372-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/384-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/388-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/412-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/616-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/616-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/912-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/916-474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/916-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1000-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1080-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1348-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1416-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1452-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1452-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1792-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1820-473-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1820-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1968-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2096-488-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2096-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-463-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2200-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2240-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2284-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2352-461-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2352-460-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2392-487-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2392-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-479-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2812-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2856-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-470-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3140-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3140-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3260-462-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3260-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3284-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3360-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3400-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3492-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3548-469-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3548-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3632-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3636-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3636-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3712-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3712-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3864-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3864-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3920-472-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3920-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-465-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4132-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4192-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4192-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4252-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-483-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-481-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4696-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4768-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4768-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4772-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4772-471-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5080-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads