berbew | 252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611e

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe
Size

92KB
MD5

910085a4f29b31d23902b68bd1eda830
SHA1

60d4ccdd96490c6a08c3627fc90286c2e5cb3c59
SHA256

252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611e
SHA512

a9e703abc0ec129924ec814adf6aae4e53ad9026046defb0d9f4f6961917092a5465748dfefe36d34a2b13e15e91d46e229fe334adc7fb120ec2b38b5d7cf3f3
SSDEEP

1536:pCdMk7YAuxePEWWC9Eh26TnKXvlzDdnjFN3imnunGP+W:pQY5SjWtFKXvlzDdjFVbe4+W

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4564	Ojjolnaq.exe
3184	Ocbddc32.exe
3524	Onhhamgg.exe
4384	Ocdqjceo.exe
3136	Ofcmfodb.exe
1896	Oddmdf32.exe
5048	Ojaelm32.exe
2872	Pqknig32.exe
2868	Pfhfan32.exe
2908	Pmannhhj.exe
2376	Pclgkb32.exe
4248	Pnakhkol.exe
760	Pmdkch32.exe
4608	Pflplnlg.exe
4896	Pmfhig32.exe
2504	Pcppfaka.exe
1020	Pjjhbl32.exe
3076	Pdpmpdbd.exe
804	Pfaigm32.exe
3712	Qmkadgpo.exe
4160	Qdbiedpa.exe
1468	Qjoankoi.exe
3096	Qqijje32.exe
640	Qgcbgo32.exe
4680	Ajanck32.exe
2984	Aqkgpedc.exe
2972	Acjclpcf.exe
2180	Ajckij32.exe
2176	Anogiicl.exe
3404	Aqncedbp.exe
2416	Agglboim.exe
2884	Amddjegd.exe
2640	Agjhgngj.exe
4040	Aeniabfd.exe
2184	Ajkaii32.exe
736	Aepefb32.exe
5008	Agoabn32.exe
4652	Bnhjohkb.exe
4204	Bcebhoii.exe
4548	Bjokdipf.exe
4432	Beeoaapl.exe
3108	Bjagjhnc.exe
4888	Beglgani.exe
2464	Bcjlcn32.exe
4464	Beihma32.exe
3472	Bhhdil32.exe
2944	Bapiabak.exe
2644	Bcoenmao.exe
1380	Cjinkg32.exe
5056	Cabfga32.exe
2676	Cdabcm32.exe
2492	Cjkjpgfi.exe
4556	Caebma32.exe
2864	Cfbkeh32.exe
3452	Cagobalc.exe
4620	Chagok32.exe
3420	Cjpckf32.exe
4504	Cajlhqjp.exe
3220	Cegdnopg.exe
3100	Dfknkg32.exe
724	Dmefhako.exe
2572	Dmjocp32.exe
384	Dddhpjof.exe
4092	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3444	4092	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4564	2488	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe	83
PID 2488 wrote to memory of 4564	2488	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe	83
PID 2488 wrote to memory of 4564	2488	252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe	83
PID 4564 wrote to memory of 3184	4564	Ojjolnaq.exe	84
PID 4564 wrote to memory of 3184	4564	Ojjolnaq.exe	84
PID 4564 wrote to memory of 3184	4564	Ojjolnaq.exe	84
PID 3184 wrote to memory of 3524	3184	Ocbddc32.exe	85
PID 3184 wrote to memory of 3524	3184	Ocbddc32.exe	85
PID 3184 wrote to memory of 3524	3184	Ocbddc32.exe	85
PID 3524 wrote to memory of 4384	3524	Onhhamgg.exe	86
PID 3524 wrote to memory of 4384	3524	Onhhamgg.exe	86
PID 3524 wrote to memory of 4384	3524	Onhhamgg.exe	86
PID 4384 wrote to memory of 3136	4384	Ocdqjceo.exe	87
PID 4384 wrote to memory of 3136	4384	Ocdqjceo.exe	87
PID 4384 wrote to memory of 3136	4384	Ocdqjceo.exe	87
PID 3136 wrote to memory of 1896	3136	Ofcmfodb.exe	88
PID 3136 wrote to memory of 1896	3136	Ofcmfodb.exe	88
PID 3136 wrote to memory of 1896	3136	Ofcmfodb.exe	88
PID 1896 wrote to memory of 5048	1896	Oddmdf32.exe	89
PID 1896 wrote to memory of 5048	1896	Oddmdf32.exe	89
PID 1896 wrote to memory of 5048	1896	Oddmdf32.exe	89
PID 5048 wrote to memory of 2872	5048	Ojaelm32.exe	90
PID 5048 wrote to memory of 2872	5048	Ojaelm32.exe	90
PID 5048 wrote to memory of 2872	5048	Ojaelm32.exe	90
PID 2872 wrote to memory of 2868	2872	Pqknig32.exe	91
PID 2872 wrote to memory of 2868	2872	Pqknig32.exe	91
PID 2872 wrote to memory of 2868	2872	Pqknig32.exe	91
PID 2868 wrote to memory of 2908	2868	Pfhfan32.exe	92
PID 2868 wrote to memory of 2908	2868	Pfhfan32.exe	92
PID 2868 wrote to memory of 2908	2868	Pfhfan32.exe	92
PID 2908 wrote to memory of 2376	2908	Pmannhhj.exe	93
PID 2908 wrote to memory of 2376	2908	Pmannhhj.exe	93
PID 2908 wrote to memory of 2376	2908	Pmannhhj.exe	93
PID 2376 wrote to memory of 4248	2376	Pclgkb32.exe	94
PID 2376 wrote to memory of 4248	2376	Pclgkb32.exe	94
PID 2376 wrote to memory of 4248	2376	Pclgkb32.exe	94
PID 4248 wrote to memory of 760	4248	Pnakhkol.exe	95
PID 4248 wrote to memory of 760	4248	Pnakhkol.exe	95
PID 4248 wrote to memory of 760	4248	Pnakhkol.exe	95
PID 760 wrote to memory of 4608	760	Pmdkch32.exe	96
PID 760 wrote to memory of 4608	760	Pmdkch32.exe	96
PID 760 wrote to memory of 4608	760	Pmdkch32.exe	96
PID 4608 wrote to memory of 4896	4608	Pflplnlg.exe	97
PID 4608 wrote to memory of 4896	4608	Pflplnlg.exe	97
PID 4608 wrote to memory of 4896	4608	Pflplnlg.exe	97
PID 4896 wrote to memory of 2504	4896	Pmfhig32.exe	98
PID 4896 wrote to memory of 2504	4896	Pmfhig32.exe	98
PID 4896 wrote to memory of 2504	4896	Pmfhig32.exe	98
PID 2504 wrote to memory of 1020	2504	Pcppfaka.exe	99
PID 2504 wrote to memory of 1020	2504	Pcppfaka.exe	99
PID 2504 wrote to memory of 1020	2504	Pcppfaka.exe	99
PID 1020 wrote to memory of 3076	1020	Pjjhbl32.exe	100
PID 1020 wrote to memory of 3076	1020	Pjjhbl32.exe	100
PID 1020 wrote to memory of 3076	1020	Pjjhbl32.exe	100
PID 3076 wrote to memory of 804	3076	Pdpmpdbd.exe	101
PID 3076 wrote to memory of 804	3076	Pdpmpdbd.exe	101
PID 3076 wrote to memory of 804	3076	Pdpmpdbd.exe	101
PID 804 wrote to memory of 3712	804	Pfaigm32.exe	102
PID 804 wrote to memory of 3712	804	Pfaigm32.exe	102
PID 804 wrote to memory of 3712	804	Pfaigm32.exe	102
PID 3712 wrote to memory of 4160	3712	Qmkadgpo.exe	103
PID 3712 wrote to memory of 4160	3712	Qmkadgpo.exe	103
PID 3712 wrote to memory of 4160	3712	Qmkadgpo.exe	103
PID 4160 wrote to memory of 1468	4160	Qdbiedpa.exe	104

C:\Users\Admin\AppData\Local\Temp\252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe
"C:\Users\Admin\AppData\Local\Temp\252c9f064e953367539a868cfb4aa6440441db1ba6bb7baee42b3b8fe4a4611eN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\Ojjolnaq.exe
  C:\Windows\system32\Ojjolnaq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\Ocbddc32.exe
    C:\Windows\system32\Ocbddc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\SysWOW64\Onhhamgg.exe
      C:\Windows\system32\Onhhamgg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        35⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 416
        67⤵
        Program crash
        
        PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4092 -ip 4092
1⤵
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
92KB

MD5
48ccd099f53d4cff9df9fca6e02cc619

SHA1
12bcbc3f5ab24ea9cc9bf7c5cf983b50b83e32e5

SHA256
a8608522f983e674c59a9ef2c9cf814a75be6cf5e0bc39160c86d982f114c61f

SHA512
34a23bbc9afb0ef52e806442ca94ed50e9a163a4aa908782dfb52c23a558d9f8f180b4276060ae6dc77401b6585e4dbe49de833a80c827f2bfd4b62a00269f61

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
92KB

MD5
606c2f654357bf47a78043e87a9ef82a

SHA1
3fd3c72bdf9f00e0b5b84360a4575d7a888b8a23

SHA256
e0551dc8d85b933f0b70f2006967166c2d26d14f692caded5c5b34835653bde2

SHA512
0e904478344b0b1f11dcfe996fa29741f9adbcc22ff4a5c7e4c78cb0cf81d83fdf04a7c9e29fd70a5822196245a1298733ab0861a2f5d261606a2236744bc184

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
92KB

MD5
c570dce628758ee25e8f9a6013cbe154

SHA1
985113c6780932e78e5839871b7eab0016affed1

SHA256
fff7037d355fedeab90186baf0cc878cfcbc8aab47f59178f164f02ad8a76017

SHA512
9ddaac351536f6067b0a3663cfdd0a4a51d831ce832d56c1d545896ce06b6f8ed04df843b5ee001778b611acfe02d7ad780d2bacd7e53a09e8c89457de421a5d

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
92KB

MD5
a76172761eb35660ad53a93c42150c25

SHA1
4a887aa6ea941608eb121f925c4743fc95942807

SHA256
f7aa620067995f93d46feb434f0a1452fc559fcf4689c27c79574e00f3aab5d4

SHA512
494e9b2ce8944362eaed5e55bf04f5b58e0790f1a984ee1a6e32bff55d4dcad27e5ca1fd6b1abbcf713e1699f24fcea3a9360a34152265aa91a496d54090d28d

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
92KB

MD5
e5105f50f8b721ffa97263468322e9ef

SHA1
17b881d5c38df22acdf7082780962de527efc4d9

SHA256
605c78e1103e10e06525d6439ece99ee45faf07f1e4ebc0c31f7cf0297dc574b

SHA512
e7acb8c44891588c6f04aedc11d988614c0ccb0d394423f962b6781ba5b8c9ab1ba4c512343ed474d38c5d1fd9aaeeaafe3994f794c8984fe7c4111107ccd7fb

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
92KB

MD5
b88c625e69b46d8edddf9e34793c24db

SHA1
3d52638731e42900c1bcd1319c3629a613a768f6

SHA256
ce227c30d7acb148e46980035673a6320b06bdbb6a924239c6d68d88be08bd4e

SHA512
f4bcb33c13dbee609584ec6dfbeef502947b3c21dbce51697dc77f111493e3617afd8364b75186034d0191a5d262a7419b2580a9e9e81e7b3c781567501d86ea

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
92KB

MD5
4801d7341669ce83e5f82b50910f0f5c

SHA1
c49f7d1dc2430e6c6965c291c4b39668ee55463c

SHA256
c4360fe9f8869e579db84218a21d1eecd5ff532ace0f9f3fcf9c8f86fc569249

SHA512
014860e3334e8da74fb1872ed0dc8eaf50c2031f31b72b65c4f09ef0b844f4d0478647ec699ac44560689da66b6cb74829c8294672f3d50447cdc32f6135d79a

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
92KB

MD5
7a413df09a9774adeff048019e8d9391

SHA1
dd57d993e56250a44c1232a2d7ab4aa9871447e6

SHA256
f789f67284e51445c747e7e862ec9bc7cec2f6d4d9248dfeaf67bbb02b0a9795

SHA512
8e821422208322356235e5ef711b9375e9efadcd73c77347a448945a2598c3e8714fd2131ac681fbcceb39e4eef36063483a62059bb4473e3d58a767ff4025e2

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
92KB

MD5
cf9a9dd1d5eaad98e2d2ed71eacf71fb

SHA1
45d06485204f62232d97cad4da94106b9aa50adb

SHA256
c54961acb263765471f4a270324fe31597f85e9ff58ce531bb93df43e689b17c

SHA512
7b95ce0805b8e9d7113904aaf26608c528cf81cdaf2b2ce5b07fa4e56210c4af650e9de431f860f7fb25b2896af9dc5db4a93f69a5cd1bf2df450630dfe6af98

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
92KB

MD5
1a56fc538587dfd48ccfde54d293ad7a

SHA1
c177c9687b5209d2cc2e01dc85d73ee747ad65fe

SHA256
63a971aea739d767b040d7b6ed1d0485389dc9293b29a47ffad4cd33df4da62e

SHA512
0ca22af42243b3f9cf0b42df4fe43f9de9e8409bc8e10555ee964269b8be60d0d75163f520e3ae2a40899295c221140b5fbb9c73ca0aa11a98065360ced22742

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
92KB

MD5
fcd59a597013c06b851afed4cbb2365e

SHA1
3ff936df0523437f72cdcb56c5841f02101b9a48

SHA256
3859a5b58ce55accb520cbdde9754281ea2d4f2670bfb6e683c7bf5f31e07ca6

SHA512
fc3a94842da0e2b47cd6673b1525e8dc983e68910a54a58d7d50a29c61188aefa7cce5831802a98527e128db6eea44e59e07eaa5028c9d64328b0d02ebdcabb2

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
92KB

MD5
57fc0db48dd61cd96800852f94c85d1f

SHA1
8d0737a8c1681c463b407187ed021a7f56a660e2

SHA256
b1349fab92b1aeae19183aaebcbed8b45f2e940cfb0d88ab26ae780a30003af6

SHA512
f37beee4c85161947b9d91f0c88bec20d3a6c68f309aa02e9ec0daf92260b94eee33586a808ea1542b35b349ea9ace9744cf1ae368018879390501c608dac46c

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
92KB

MD5
140b98f33ffc90b1895d6c8b1d94fc3b

SHA1
1025dc95a175412a16611f5d222ba398461cf259

SHA256
af65b46e31840fcff531f82f537d6756ecf7d96ceeb5753eb5007b9214317e2f

SHA512
a2c35985c19a4527d8e1106c8740c371fa41b089d875acdae3b81f2d59c90d15ca7730d07e05317fbb1b0404546764e7127f6626b6f3fad1df181b583ac80087

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
92KB

MD5
6a85c4165af6a31c2a2fb7e600a8a46d

SHA1
1d97e7989083f5b82298459d0a7426bde2c8464c

SHA256
741d88e1c6391c20ec7c3421232f48cf9d30cc04b9d0c49550057c25de29b227

SHA512
67ca15efcd3ced84b2752919570baea23cf2ffaa450bcd19f7968cc91110349c630d7568a9678696a5d3e0ab8f3d48d62d50c9636a53a3fd52ccdbe09a718b30

Download Submit
C:\Windows\SysWOW64\Gcdmai32.dll

Filesize
7KB

MD5
e9a90f88bdf6884ab0a80ebed28f188b

SHA1
2e66609ee32f2f396fce557afe06727b978cda6c

SHA256
fa093e65445a46520fef9fc74654588044b89b72a3e82ae6df0e7a779cd5660b

SHA512
707315674a47b92be4039a71251605e792b60645dca372ed139a7ec27c333827aaab717380319bfc9bb05515ab224f9e0d7f6f33eddbaa06ab2aba1ff2ea2cde

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
92KB

MD5
15b6e9264febd1f7ef90280270db91af

SHA1
db007d9c19920237b8059eb710ff866c7b43e0ea

SHA256
154e12a19ed7765764c14320173548f3e975c0b33e8aa92ac8cdaf6141d743dc

SHA512
b3c77be2556f30f1cefbe933a0ad6d1838eb03635cb6b4dc3fd300a77d97c15bd71a5793c2d0d81ccf73d1b84b6c723b49498725d9f0773c272a7e5627c7bb14

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
92KB

MD5
cb47534300f00cf4dc1a646c136322e0

SHA1
0d7b6972549fc8487e038c8d5c97edf434c80b0a

SHA256
4f5319fb58ee3897101a36f0556fb96e4800b696a55b9b989f25f2c1047776ef

SHA512
f00b63a696538e87e4fa5928e62d725bed8d8ec275ca4a6bc83336b014bb06764ea1ad73a0de4dd7fd19bb6d7a29b4632bf8a1c4a48858752c27e016a6b93b7c

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
92KB

MD5
0d07fe1c123101f28b8f3a47915d2ec8

SHA1
76aeb73a8103684910df8d614f2d1265d86a9b17

SHA256
69b1f653d2954d59322d3e0510d2498409e3fe08460435a8fb1cdfb805e2ef2d

SHA512
074ef7fef9012df22df344d007d6f20ec725e81dd4b22bf14f330a1bb8d905befff3920ab1c2ae39826c6c7249b2c133baf4f199705c02055afefc7dfd94b00a

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
92KB

MD5
3a195d5a0f164ef352a976f1b639df0a

SHA1
c67a54f686e02ac234276f14bc3ee42d04d945f9

SHA256
9617af1af4a51f87a822486470fecc6bed9b578cd45a2dabfbdd77f4d77d0b44

SHA512
21555bff209f8b820223ed218d6a543beb5574ecc2f16bd9391c4e061e29d90bcbc0153e8920f9f41047c26653d0e7c2befec85063fb9381d912d41a4bd1b329

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
92KB

MD5
74a96860f878c2e01ba11803c9ff2ab6

SHA1
b1af008ae719fcc25bb9eefa08c1d4348fc1c3ff

SHA256
0c1916914cd7d2b0da5389d770a5cc8b9b3e67f59decf8d0d69033943e6cf0ec

SHA512
d90e601053703602e34a6141a56a1a2e9082b6347b2af4306dbc7039112cfc4655dca57e63eaf462459802b762c4f178e8ab320f88cc5e53ca2b78c043c24579

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
92KB

MD5
334bf0023d48f4e8902b4c08c448a527

SHA1
beb504af11b9149a10ed42cf8e1a06fc63104edd

SHA256
27d166447db602f203eacc1944076f67e6f3b55412b5fd104221dec93bd72274

SHA512
a544ddd7886241e1bda7655863ff5826e46a83b1008354ec9a1bb213bffb731186d160e112bee70ed0da453094485e9ef0829e3f6e8aa70a2e20d11f4d24900b

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
92KB

MD5
e33920ab299a997d5324bab919f7ba82

SHA1
4a8960741752874bfb5c9befdf674c3dc7ce021e

SHA256
8e32a1d854dcba6118796a18cf19b39aae761168670bf8162d5ddc59228a2c9a

SHA512
57b0704a28c22eec6e0d9d2c252d3cf1770c49c2577908627fed1b3d984d6ab1d6db72df2f504e5cd730ba1ba6836fd5966ce592d7ca05f32ee763e0cb1023f9

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
92KB

MD5
3b520c853767901341ae19bd4c697a58

SHA1
96b7cd7f6f7e030f11a69b84f8429870051f9b0e

SHA256
98b7c71af4b251ccc2baff0d2929ba916f5d2db6390d1a2b9b7c2d630df01939

SHA512
488c9f8eae33f985749e47859c6e94005080fb34365d69391de88824a8e315a22452dc14aa9c7f6eff4d0377ed12f49e74f9a066a117357ad404891cd0e182c4

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
92KB

MD5
fc3580f3099c7f2c56acc5a70e8c9a5d

SHA1
be25f2a69b3d26267322ce769c6a7d57d2208a3b

SHA256
af38dd036d0f15865b53a9a9962e816d5e5e4989119073c73f6e48746a221baa

SHA512
c18d5e15408276c8df7ea162a5af67cefa44eed768fee49d40f96c8b1a848780d4ab6a32e6f3fba0ee6adec16d568f086081102fe0fc7d1e60417a57e1a1f452

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
92KB

MD5
b8f66b951fb6dfd6c49febbeeeba6466

SHA1
50e908cb1d17c8d4758ff3e4ce22be47fc21bc8b

SHA256
e95ed1827483142b636661687c2dd239e37461c81924b109c543d31506ac10ce

SHA512
1497234fd527ae8c8d5375aed1a46a0d12ce1641a13ed215d6470c00971781a13ba704366cf0774a7ea892700960f5631d0fb2ecaa53ff8221e9176aad390c36

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
92KB

MD5
4e9408b5d258e0563b53d3a5d185fe0a

SHA1
bc7766b7bd594bbb127bbdf84611663481c8d09c

SHA256
6617d90e0a6e142a35e20fa6b8c56f638e7a843d0a9603cc70bd07c6c40195ff

SHA512
329bb18251893309f7ddb1863bdc520cdb7af68d1947910d674e26e5ac56f1e02ed8e75ea9a93196eeb099cff033c13f760efeb52d43a6d4d4d6b1f51c040507

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
92KB

MD5
5a93d683a4cb4ba41227c3463a6aa07d

SHA1
c343d46f15aa3affdee52ab5546e1a815f74d578

SHA256
a0e25995297d788584c98346ee861ddc2afd12c329ce116c3cf0eb7ad14d866f

SHA512
4b139b5adc60539c4b6c07e8da04a74a37768067c526f9f260981413ad38e2206e1a3bba815386d03094888359be2b99a9a3c3798f33701db7bd0b475864d30b

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
92KB

MD5
91c825b878d41f83518c3578f6da2395

SHA1
f67a2718599ded85bcd028dc472137989cf51a87

SHA256
22b0fc24c38e42c358daf1d0f918d70310f80318324814ea2d1481f35d4f549c

SHA512
996037705b0768cbe8d47bc668d08c17e67d3055a82aca35979ccb60f1f4b3fa508ed4d7102899500498d6ddd39c92e474ad31b6485c6ff12f3ebcf06efbf576

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
92KB

MD5
fece7125cf2b2e08ef4c6fcf2effef71

SHA1
3b7eecca592e61aa5660b6604da422f3d15f5d43

SHA256
999831e5ef111edc7bc6394ef8d2006081fe50b0515ff4e3dd827dba06f4a5c6

SHA512
65bd87aa8c3cef240c7e58e5ff1efc3075e97d877bd1c39486ec9a8427a5bd664620775d82391e45e7cdad696ca7cd2a525d299fde18bbd432cbf6303a6c3f2a

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
92KB

MD5
86a582988a01be8866a13eaa9eec762c

SHA1
c73a701061d9b188478fe8b59ce26aef00461322

SHA256
2913a222a6742577100171b5b056009afd648b72436437acdaccedc572f97b8d

SHA512
1dc8293fa91bdaf8f9ff431961eb79ec6fb5da751362486da509f439514f803f4fe0efe138bb7eea756f1197892d5a01cc01edf2a00b73f4cb21f4365cf3746e

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
92KB

MD5
5538370ed268e8755767ee0e6bf6afb1

SHA1
03cf645bb4bff08e35455960dc578c13164c8f08

SHA256
4226d0d122f6973d619da98b001ff210784428f5f9042f242b6723aa374e5bdc

SHA512
e92b12f5052c08bf018397de94615151e5b98f94a428fd6bcf408e9c7e9cc12da1931c1e256040326f5d66f299571aca9320c65742f4938def1fea026bf535a8

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
92KB

MD5
6ee81170f2cca4215c82d37830445d78

SHA1
0871454ff13507420292a5fc2c6904576ad7e428

SHA256
acf5eaeb1f74d5c6fb0e10fccdbea10af4332244aad450cc7a533f45c4f06eb4

SHA512
9254a9bf9ac05542b59d91aeec4b962c5653902a044fbf4130d69bdf9ad58d79e9703dac70ce92ed2bca8654097769cdf580d93e18f861cc2b5c9f97b224444c

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
92KB

MD5
cf5caf1c123c007afa6946ec594b8890

SHA1
50644fe2ced10fda8f2ea31cd1bb167171a0f54d

SHA256
5b2d5c99f8d5c929402a3d8c2fff1cb7dfef39dee2211cb1bb6e3f8d68bea384

SHA512
ec8026f166ec40f886902ac755513fcacae2e2dfb2b9f6a1d60d857bbf2d8d1df57d879851e665fa5bfe30745cbe1e6fcda5d93e986705534f25983b400337cf

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
92KB

MD5
abff158f2995ed64a1465306d1898a59

SHA1
5f2ebe20c6d9b5537ab227c2f86d6b957200fa84

SHA256
065d4d2ce346100e90c450fad62790dff9a781ceb70fe4a446bf94ebd296f881

SHA512
c06c0eccd4886436ba4980bddbf70fb100a06f9ec9c9254f71a36aad933cfbca78b29e36a3d3fdcf485731ce2df8c0083eabef5b8e67ba62b31c55ca020879a4

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
92KB

MD5
989a43e89d44ca7dad235bd134961128

SHA1
039f2c2a8fc406d2dcd7bbdb1dd576b8e0997c36

SHA256
99272e1a8fdf6a8ff18a700afa0effed9e94b000a68821b65c4640d4a7a899d2

SHA512
25f64d6372947adf1f49683d773697b846cf9a8d745bf094a0834296a31c14382e8ae95500633cd17b4c42df5dc4c4a32792dc65c987cc22f4ac9bb7c9c7639b

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
92KB

MD5
dc635b3fe0a8710a385d33bf4cc3e29f

SHA1
7d0938aa932e1f0ee1727981103b57ecb8ee32dd

SHA256
84daefdb4af93ec7f01e972c505ef5fd4370a08133e09f64a246655080bc9ddb

SHA512
036e727deaa50abeab49fc5650c11701835ef3f163a7024f78db64a4e60dc5178855fa3a0416c968017c91386e7d8335f6c021a79c55b4b2ff9a11c37201b865

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
92KB

MD5
941dc91caad7cf4659629eeeb5d8267e

SHA1
a34b3c38d25983974726055689a1026cdb3f2387

SHA256
36b09b93061b2d2d733317cb87db2d70c452b65d2f4bceee00982f9a5e6abf1a

SHA512
75bd380432ba51a4d7c5c97e441fb4029cfc2f19a081eed62fd5986ff63b3da248ff98cf57db945db894418dc222170052a104433f5093ffd0cc7de30393292a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
92KB

MD5
87def385fede029b468d2bfb1797dec5

SHA1
19f344e357f384cfddaad07b5f7b513a0533d086

SHA256
5d1a84d963e714a59d8f4c58555c69dedbdacd2867f221780cfbc04435ae320c

SHA512
dbb9931b27f2ce5833c207ef4cf3162fae0ee594ac39f5fa8faa4d0c85af42dadc000ec63f92f2872614f62bb582e5945cd6a3d767e23ce0c81f2511790ab7c8

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
92KB

MD5
caf074fb8874180ff39cc06c5a28cd2a

SHA1
d9e29296f256be576f70cb543d3b85f2916c57c0

SHA256
6d82bc2114a221180f6429c9d138eaa702a3db3189db72b2ff0a1c1e368a8694

SHA512
37c5940ea8bd9b001c147e9ce6969c4d3a2b3bc29fff94462c8d93dd15813b94789b060f3bd20044afbff33ec9773a1049385b3462ac911f2e86020e0631592d

Download Submit
memory/384-443-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/384-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/640-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/724-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/724-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/760-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/804-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1020-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1380-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1380-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1468-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1896-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2180-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-329-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-470-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2492-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2492-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2640-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-463-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2864-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2864-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2868-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-467-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3076-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3096-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3100-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3100-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3108-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3108-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3136-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3184-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3220-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3220-419-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3404-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3420-457-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3420-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3452-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3452-459-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3472-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3472-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3524-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3712-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4040-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4092-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4092-450-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4204-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4204-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4248-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4388-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4432-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4432-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4464-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4464-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4548-474-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4548-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4556-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4556-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4564-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4608-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4620-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4620-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4680-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5008-477-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5008-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5056-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5056-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads