berbew | 1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe
Size

64KB
MD5

cf5c6a4d31ab88155c76067852282950
SHA1

69e31f51b16098fd86db19342cb1e09e839674b6
SHA256

1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47
SHA512

539f30a183cb28e88577110550848adfd11f6b27c30086ea3edac40fee9781230e0a677d806d47ada5cd9b2d43e08e0b6658cfc29a49dfd38f9ce7349b9a0226
SSDEEP

1536:lC7aZ3WjrP84gynNdl5rWqmfKI7tBnO2LcrDWBi:lCmZ3Wjr8Kr4tlTc2Bi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3464	Pcncpbmd.exe
3556	Pjhlml32.exe
1604	Pmfhig32.exe
2356	Pqbdjfln.exe
4204	Pcppfaka.exe
2344	Pjjhbl32.exe
1328	Pqdqof32.exe
1432	Pgnilpah.exe
3260	Pjmehkqk.exe
4164	Qdbiedpa.exe
2800	Qgqeappe.exe
3488	Qjoankoi.exe
2252	Qddfkd32.exe
1484	Qcgffqei.exe
1040	Anmjcieo.exe
1972	Anogiicl.exe
3680	Ajfhnjhq.exe
2240	Acnlgp32.exe
4724	Ajhddjfn.exe
1592	Aabmqd32.exe
4976	Acqimo32.exe
2228	Ajkaii32.exe
4548	Anfmjhmd.exe
3348	Aepefb32.exe
2700	Accfbokl.exe
2332	Bjmnoi32.exe
2304	Bnhjohkb.exe
4972	Bmkjkd32.exe
4420	Bagflcje.exe
820	Bebblb32.exe
4092	Bganhm32.exe
4876	Bjokdipf.exe
5028	Bnkgeg32.exe
4736	Bmngqdpj.exe
1320	Bgcknmop.exe
1256	Bjagjhnc.exe
312	Bgehcmmm.exe
4540	Banllbdn.exe
3588	Bjfaeh32.exe
1704	Chjaol32.exe
1824	Cjinkg32.exe
1352	Cfpnph32.exe
2880	Cnffqf32.exe
2852	Ceqnmpfo.exe
1224	Cfbkeh32.exe
4248	Cmlcbbcj.exe
1364	Ceckcp32.exe
4868	Cfdhkhjj.exe
4752	Cmnpgb32.exe
1192	Cdhhdlid.exe
3448	Cffdpghg.exe
4284	Cmqmma32.exe
2936	Ddjejl32.exe
4176	Danecp32.exe
668	Dhhnpjmh.exe
1660	Dmefhako.exe
3664	Delnin32.exe
4188	Dfnjafap.exe
3968	Dodbbdbb.exe
2132	Dmgbnq32.exe
812	Ddakjkqi.exe
3696	Dfpgffpm.exe
4428	Dogogcpo.exe
1476	Daekdooc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2388	4684	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 3464	556	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe	82
PID 556 wrote to memory of 3464	556	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe	82
PID 556 wrote to memory of 3464	556	1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe	82
PID 3464 wrote to memory of 3556	3464	Pcncpbmd.exe	83
PID 3464 wrote to memory of 3556	3464	Pcncpbmd.exe	83
PID 3464 wrote to memory of 3556	3464	Pcncpbmd.exe	83
PID 3556 wrote to memory of 1604	3556	Pjhlml32.exe	84
PID 3556 wrote to memory of 1604	3556	Pjhlml32.exe	84
PID 3556 wrote to memory of 1604	3556	Pjhlml32.exe	84
PID 1604 wrote to memory of 2356	1604	Pmfhig32.exe	85
PID 1604 wrote to memory of 2356	1604	Pmfhig32.exe	85
PID 1604 wrote to memory of 2356	1604	Pmfhig32.exe	85
PID 2356 wrote to memory of 4204	2356	Pqbdjfln.exe	86
PID 2356 wrote to memory of 4204	2356	Pqbdjfln.exe	86
PID 2356 wrote to memory of 4204	2356	Pqbdjfln.exe	86
PID 4204 wrote to memory of 2344	4204	Pcppfaka.exe	87
PID 4204 wrote to memory of 2344	4204	Pcppfaka.exe	87
PID 4204 wrote to memory of 2344	4204	Pcppfaka.exe	87
PID 2344 wrote to memory of 1328	2344	Pjjhbl32.exe	88
PID 2344 wrote to memory of 1328	2344	Pjjhbl32.exe	88
PID 2344 wrote to memory of 1328	2344	Pjjhbl32.exe	88
PID 1328 wrote to memory of 1432	1328	Pqdqof32.exe	89
PID 1328 wrote to memory of 1432	1328	Pqdqof32.exe	89
PID 1328 wrote to memory of 1432	1328	Pqdqof32.exe	89
PID 1432 wrote to memory of 3260	1432	Pgnilpah.exe	90
PID 1432 wrote to memory of 3260	1432	Pgnilpah.exe	90
PID 1432 wrote to memory of 3260	1432	Pgnilpah.exe	90
PID 3260 wrote to memory of 4164	3260	Pjmehkqk.exe	91
PID 3260 wrote to memory of 4164	3260	Pjmehkqk.exe	91
PID 3260 wrote to memory of 4164	3260	Pjmehkqk.exe	91
PID 4164 wrote to memory of 2800	4164	Qdbiedpa.exe	92
PID 4164 wrote to memory of 2800	4164	Qdbiedpa.exe	92
PID 4164 wrote to memory of 2800	4164	Qdbiedpa.exe	92
PID 2800 wrote to memory of 3488	2800	Qgqeappe.exe	93
PID 2800 wrote to memory of 3488	2800	Qgqeappe.exe	93
PID 2800 wrote to memory of 3488	2800	Qgqeappe.exe	93
PID 3488 wrote to memory of 2252	3488	Qjoankoi.exe	94
PID 3488 wrote to memory of 2252	3488	Qjoankoi.exe	94
PID 3488 wrote to memory of 2252	3488	Qjoankoi.exe	94
PID 2252 wrote to memory of 1484	2252	Qddfkd32.exe	95
PID 2252 wrote to memory of 1484	2252	Qddfkd32.exe	95
PID 2252 wrote to memory of 1484	2252	Qddfkd32.exe	95
PID 1484 wrote to memory of 1040	1484	Qcgffqei.exe	96
PID 1484 wrote to memory of 1040	1484	Qcgffqei.exe	96
PID 1484 wrote to memory of 1040	1484	Qcgffqei.exe	96
PID 1040 wrote to memory of 1972	1040	Anmjcieo.exe	97
PID 1040 wrote to memory of 1972	1040	Anmjcieo.exe	97
PID 1040 wrote to memory of 1972	1040	Anmjcieo.exe	97
PID 1972 wrote to memory of 3680	1972	Anogiicl.exe	98
PID 1972 wrote to memory of 3680	1972	Anogiicl.exe	98
PID 1972 wrote to memory of 3680	1972	Anogiicl.exe	98
PID 3680 wrote to memory of 2240	3680	Ajfhnjhq.exe	99
PID 3680 wrote to memory of 2240	3680	Ajfhnjhq.exe	99
PID 3680 wrote to memory of 2240	3680	Ajfhnjhq.exe	99
PID 2240 wrote to memory of 4724	2240	Acnlgp32.exe	100
PID 2240 wrote to memory of 4724	2240	Acnlgp32.exe	100
PID 2240 wrote to memory of 4724	2240	Acnlgp32.exe	100
PID 4724 wrote to memory of 1592	4724	Ajhddjfn.exe	101
PID 4724 wrote to memory of 1592	4724	Ajhddjfn.exe	101
PID 4724 wrote to memory of 1592	4724	Ajhddjfn.exe	101
PID 1592 wrote to memory of 4976	1592	Aabmqd32.exe	102
PID 1592 wrote to memory of 4976	1592	Aabmqd32.exe	102
PID 1592 wrote to memory of 4976	1592	Aabmqd32.exe	102
PID 4976 wrote to memory of 2228	4976	Acqimo32.exe	103

C:\Users\Admin\AppData\Local\Temp\1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe
"C:\Users\Admin\AppData\Local\Temp\1d46ba5259139ff884f8e37aabcadb9452659c22112098e1ded7031dd206ce47N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\Pjhlml32.exe
    C:\Windows\system32\Pjhlml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\Pmfhig32.exe
      C:\Windows\system32\Pmfhig32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 212
        69⤵
        Program crash
        
        PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4684 -ip 4684
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
64KB

MD5
e7006e624d343ec2533f9022a5c593fb

SHA1
e6228fb331206a3cf5c9536b73dcd510b0ebd2ac

SHA256
4cf7a5c57931e40c413306577c5bffaa23e9bdc5209259f72d25b645ecdf9b6c

SHA512
3c9a646e922ec14b1a6632420f828b030ec4bd5aa325fd491274c95b17bcb703e15c176a343fce80b4f9a3f464284d61b81b5e4fa1ea580463377e6207ea221c

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
64KB

MD5
71d413921c1e887f96ce4fbb84ef46f6

SHA1
64e7ff8a2136c16210432b460699f38ec9792b56

SHA256
7d9c917252f4bf62e3d98fcd5033d75096230abeae09a1235472a3ffb16d754f

SHA512
b4c42c6d5d39ac04b4847319e3bf608f88b192f5ee9f1c1e6306d6ff4c26b4e2e5c15ec2b666d6025260ad0a4b5e9265bb12740d27bf40aeba01be51e36ef59a

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
64KB

MD5
a8e378f9b9a0c8d184441411f0d9ccdf

SHA1
18ff36674d382d4b229e2260c85ed138939f55a5

SHA256
1cc4e26a0fadff89c4f1b4e485a99afa40f6519bbacd24cb6946885af962ce8d

SHA512
57d64f430feb864434bffb021def81ee769ae7b52c254b2c80354e7eeb6fef9a5ce424fcadbe2a38da44422253960a96a7ee5624f1037bdb7699906aaf322c35

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
6489672d437b7698b19ae6ea40df3109

SHA1
a8b5f1d8b13900e18b2a7aaacc74ee60c191ae7b

SHA256
037c676ae026fc63b95343e1537b7e009a52103275ca84f1dab36608507e9cc1

SHA512
891786ef4459ef156c40fe2c91fe19fb91524e2b13ba612e36a48836eb9e34ecad5c14398f33882950336a57c5aff8d16e9f994ee2a1a5e75dcc7863ec312578

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
64KB

MD5
3a13e6ac2fb0c99c7504cb2aee546c65

SHA1
4e90f7d4b3b45577fe3638592ee653b998e7b371

SHA256
b856e738002876454d5afcb7366fe3e1c340bed66b8ecc84dbfafb150456294c

SHA512
c3ba560809dfaeccf8706220a687935e9b63b9edbcaaf0990ef2db45a96030924dabc0fc70d7cce2d6ff561d23b6e067cd42fd819f7b8eb3f9de7921a21ef0d9

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
64KB

MD5
1b30abf59389c0b365373c40a2501f6d

SHA1
d7eebc5dd136a9ff9bfd3a89e628ca26a01cac03

SHA256
a8d22cf6d93565a6534a515ad3c418522e38349d71e7fd6e413ced3c6963abca

SHA512
051533c59533cb519b0a869d9df752bc71a1e283e7afaa0b91a76e7d12fcd6dbbc62576ae38cec6b3c7933d7b948a402356da24d3e59fadfa7064cfc84801af8

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
64KB

MD5
69ae778816267a95baef31cd52ca7c90

SHA1
cf0c11f052fd3c991ea83ac85d75583d306ee2b9

SHA256
afb2b697b9deed45a449fcfe9067f968ac5990a98b706a6d5a43713304fa7f68

SHA512
d114419f81728cd4da26a32925cdd54cf811d1769d9740d35591042425472092854557d246cc69350604205751ac6dbfa56cfe62aea2b2d0d79611cfa9082981

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
64KB

MD5
680e8e64f58123254f0c368b0e57abf4

SHA1
dd6165cc62acbc965a6f936bf23a56664ba3bc47

SHA256
196926c15bd61edf6410b0c8306958fe69bb1dd4f790516bd2c7c234695e7926

SHA512
1696a4047fbe81b5a38dd2ac7a554dd48b6d3c891b4335d8f26b80f1d4925e704ae925022342433a5f97dc4d013a219ab05f350237a4e20a1f472c0c8a0660f6

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
64KB

MD5
57ed4cdc79ff879029ab3973610e38bb

SHA1
00484e170aa5becdd11a6b49055680fd16730f95

SHA256
659bf51848277b100b789608f037c49156b3585e115678edb6ba808f41985b8f

SHA512
7e413628f24ebfd45cb336f5ac750551cf3b27057bcbde0988bebf95826162696409a1694c197d8f59da575c3ef1b5aafd7f457448b068a264792af7af5d7492

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
64KB

MD5
f3e0e083c31b0a3434e730199283cf43

SHA1
874e0c7e6aa31ca2cd45c19aba22dd5dd0564362

SHA256
05e389c39ef435406db01a0ee894fc08500ee9824a18cf3bcd3db8cfde23c68c

SHA512
830f3b2f22b83ed790a2bc5587250311242e45436949c50697d37822f874ce326232a8df93c7c360a39b44b757611a3eb3a00444e2e53c71f2cc203953050a21

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
64KB

MD5
8acf6e728e5a69b901445ab9d1d37f8a

SHA1
9af911959780b435f4b15c1a805f973f72eb37d0

SHA256
e024af21f95bd61b5feacb3b36276e75680bd3c3b81c5f7c3de70080415fd45b

SHA512
800e7fe5249112a568e17abd35b1454a17c43dba975d046619e1960d9043624866eb7e241c5a22a679e37086b880adfd2c914d4ccb26515c0d03362fb1ae1d76

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
64KB

MD5
4b63aab7a415628ed96693328d7813a0

SHA1
7bca49f320ec47a95e674a973da05dcdf59c105d

SHA256
e5a137122204f23fbc7eee5b8dac6aaa029734f828e68c5e084165b119b93882

SHA512
f45d2fdfbcb1c5b74ec8676d62dba6a1e4d63cab1ec116cc4e6cefec91c48e76858ecd80db54ce33b91be9cd5cbde75c1eabbbbd9664ce58ba9ef4c9628a3460

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
64KB

MD5
592e68e316ef06792b46a92188315e59

SHA1
6ab4e9f6135f09dfd32534e2955e32e425486499

SHA256
70401a984c587bad1715405b5e0ecdcadbbf20eb7f9d5a10a206d0df61620859

SHA512
0802d73d6ccc0ea7289b310f9b226a3b2592e3cfc1ebab0dbb31a927c3194f23916f9309057577e97e6348a75fbbe1f2fc80b7091d00f657ac66c76ff432cf9f

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
64KB

MD5
549a457b131d10d61e4ae61f92f33a78

SHA1
9d1f8463d4f64e14ade778a2a31f0a04e19cba59

SHA256
324d200539fb814ab97cb7a267e572fb2765247975a107aeaab95adf7ca71bfc

SHA512
ad89f867bf09b149ff6925ddae7bdf21b2620ca0b5883bab40041225ae8204b62e10d8ec50c4ca20a90ccbc2ef126395f9ff8d18c8ca16a444fdc89d35fbedd7

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
64KB

MD5
f655ffbcb5fda7a6f511888a74afc667

SHA1
91e8ac9d7279296212333f616d4f2662565d64a1

SHA256
4a6359f6f1cfa41ee3c4ff8ca5b7722ed8c549cc820ed54382f92bb46f6aaa74

SHA512
52ee0976e26b4b740665c54a2ca6949f8b0a512a257378b5f0c2ed49719feaa3a6cecafcac219395c87e815ab9bd60d1af1b0a5b72b2d1fa99bbce5d3673b545

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
16b5eeac80864497d842cd5a305f2d1a

SHA1
55467780734ccd9ea2b827764821740dca1d4577

SHA256
42a7e10f6c41ae4909ad4c49ee0317dc02264c8550b37a45f23576babc1ae4d8

SHA512
a98f99e405721936639aa4d2671913ab4a7aba44f27fd77eb57a3be95bec046cd51a0fa604f5df991895a43778046ffd2288937ea3f283e1377c983dcbadaa02

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
64KB

MD5
097053f7da1faf5f45aa5a916ba1ecf7

SHA1
66ed88f1ac472ffa19bfbd504b4d7d1e4b59040c

SHA256
3f1fc932b5a655651ed96f71612cbfede3c102f1793a654169b71786d77b9edb

SHA512
68b58c0a3bc1f023d45e0098e5e224ba3cb13ca8d152a20b2a919b85c24ed81306957bc381d58d72bd5e01b85d8ce9ab847acc4cc2dfa13888045417c4122382

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
64KB

MD5
a22e820fcf3aec51f218d2020bd9e3c3

SHA1
7610afb036beaae2e6ebc10abcd991de451b635a

SHA256
6137a77206192979b3755e0f4e765affe13f019c342ff1b7a1f123136a3c4baf

SHA512
557d8ed86e86e50955b707295b02adaf403bd47fe28070ac9b99f3c95754096af901aa829f09b90515a7b37a42ed493096863a4a73421843334b6949f9874daa

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
6c7d099cd3d495e3b805475c28a2d451

SHA1
7ceae3810e89870565f83ae97d89665704f5a688

SHA256
e6fc31ffc772824b8a4faec75860d0702fcd144125d6940bc2064b047022da3a

SHA512
3f91ea3b31db173112378f37706648b629775cd4a2ad478002811430b2beadf034dd7b3e625a352ae7d5785b019bd667d9ac15a8a913009488dc87644d3c4f2b

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
5a7f4f2cf3996b8c81816933fc1fc7e5

SHA1
2cebb2e5784be16b54747ef4b22f586fd6d21509

SHA256
95b69d2d11375873a935d8127b3fdc6ea7114948030961a86d5f2effd6387795

SHA512
cb36f5f1dd546cf7d29514d73bb0849c05cb9da276804f16de837eab0031708f41b3f3570dadb1d39153c071b4912729b046fd3b879c53220e897f7224900739

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
55aeb7eef564d131d1e7af84a33e74d0

SHA1
3b6f9653e07adcb462a59f27a23f35878ceb925b

SHA256
6dd6d6dce84d93dd2423130a1ef5156a5fba89ded4db1ae4ecde02c1c1d23557

SHA512
4ebc81fd0b0037af33592a65154d87d17ac037e50e775285792893cc71c58cf85bbff8f4cec38a7f1321b6183b9085263ece342993674ba68c16375766f57e54

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
5b991a7f2d160bbe7052e5b6fa0a8b23

SHA1
f9edf8dd95b7696f31c1d7febe42df7cb7b2f4e5

SHA256
dc2993451b2798b7b9d54eaf58975917da3b33ba2e01ecc74609d605c494d411

SHA512
0d9470f062f8b7c3dd41a694db48a4012b623393865b1361aca76ac0938cea456d57c6e5e3a88c226904aa45a999ce13d2f38408370843b19ebd240320cc9039

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
681ae091ab1df734f61be8411ac13e81

SHA1
c36ed0d07a6f058645a7d885fd6c16306dffdec9

SHA256
745fc2ecc3e8cc5a18cfa5812801ed2dec1a81fe73b075f3da62352af591f941

SHA512
a1cf3ba1cc5cb07a8b0728abc36eed57a55b0d721e5d67e7ca8c2d8cce27240bb7ed90d04272c97a3a417a9643d6036b9b01ff12a2a467aeafae07de8ff65f5d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
554667f2ce63c021623bc1ea41ec94a4

SHA1
5cdca82327f309d261a74c12e6574cca25189958

SHA256
ee35837abe0977f489024f34a27079592b42c59e5d0980b6d6e46e8fc67e187f

SHA512
9b8a7bf739247589d4010b1dd79fa25b1c28ad6a35c78f79ff3caa8ef0233f1872229ead32fd88e439439818f36eb16b01e399812842fc376f1c0446a63c2509

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
2ce6fc4e6e2f818e4b25a7eeeffa4250

SHA1
830cae06008f27990717013bc3b549680b41c4a4

SHA256
de2688226e5ddfb6f093a32b3234b793fce278e50d085ae61c0ed7f971badf48

SHA512
8c7215db8b216b188d0f1a19645a5fa81cc8bb8f0c3ebefd92e41c7ff23bef276460f8930962bd31442b778c4880fe1e5e95aa0853c0eb6c329ca8fde8c8d9d7

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
64KB

MD5
4f3be449fd2c7ed8644cffce207a32b3

SHA1
71d3fb8735840e213f4e8381d1d7b53343d7d3ff

SHA256
2a9a729c7ff8ce04a1e19d47118244b48ca2ed5d30b52caaf880406b05a350c1

SHA512
2f94563ae12079c8cde8d40808397cb7c24e560266ff5c88d0ba2ae4092be04d5fe82723ecdc8943647646c04162fb061c971adc5400abeb99e9f3bd3c1e1477

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
64KB

MD5
b4fb1cbfb77b3c2e3c32f7ea22347c13

SHA1
66dcd28bc53eb6f05e6c0154fce401c60ff72d69

SHA256
aa6cf665a0f3356863759178c1028ca36198eb4eebd30cdb71fb52b934259147

SHA512
97f5c24c986210a4d69245da4a6e8381e9ccbefaf3db535c9b0b147dc8d28e4ca0cb81dad7b6fec8add3e795b55a244de997793acd8ecc68af6c4d470472dfbb

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
64KB

MD5
a1bc2f69aed01576be71e3228571c4b8

SHA1
ea7fc803a892106da73bc33c5b3c0da2a36252b2

SHA256
78e0d71661f50764e73bf978832e467ee6b88820f2eaffb6f3b068a700c044e1

SHA512
08bd23de8d1ae432ce38950d92a243ef2894e5fcf05f42567812f0714939bc0832093ca8e33d4a6eaa9087d07c0c406ca29cd65a7ffe721c86cfcb66b0fc3cfc

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
64KB

MD5
6058608e933923031192e262b116f665

SHA1
15b8967a62701a44b4fbf5f81199731db3322c0f

SHA256
fbb2076671996eb5fcb9419d50f85caa07b0d0e6bb946cca888569ec82428a33

SHA512
1f7d234629950d3f188c64fcb0e37a2bf552efcdfb655c72f0ed5213862e9e2f05b24990932ded459480bcfffe62075648111e568dd0116342478d4970e79af6

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
64KB

MD5
8195925719d750e686be01dff27e4edb

SHA1
92e2dd816d4abeb482f200f9447258b6add5fc41

SHA256
0e0191f0d3987e72b701baed00e61f24515591cfc3a9625203481c68e1f16a10

SHA512
a8747559952c4e4a266c57c799ba3d095af500e74ea4ced43394c64aaa78ca7747ffb7a4d26e55bff7cfb1a8e36f2742a15bc00915c12ebd74c449a7ce129a38

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
64KB

MD5
66bd48ce7a198f5cfa22a2f69e26bd3f

SHA1
68f64b26c5970c8a283a0b1a5daa54959939f927

SHA256
9a207b9b5b965fb0dcbb307697e258ef9f726a0e1e56fb1307417a340033152e

SHA512
1372e314b36b11b667ae222f619873d1d6f9e7f97066cc225797f035cc527239fa96045d9a140ce43748d6a9faaaa9e1f560427869bb331971a660008ba8bc88

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
64KB

MD5
2b6cbd2c93bd35e6f7d309d6076b696c

SHA1
74f718f9ccbb815dbba6ea771ad3353b17066dfc

SHA256
3351322a57133c5767adcd0125209557b283abe9d3c5daccc1ac3d6ceebfe737

SHA512
ce6553060712eed4a514ebb0b04035f321be256b5d8b1886ec67b487a0f2090ebc69826e6b738136c4aa5c93b0f7e999a77553a90a4be80285691cc96e4b4e3f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
64KB

MD5
328afa6ca961b31c55f0b7e6fd2dd24f

SHA1
976e1a32525d2d73f6d9c31cfd0492dd584609aa

SHA256
11ba0b9ba77fc135c65f8afd5b6d3e1b02e89b10275c0c6af533f6a4b34001a4

SHA512
a93b4a33939d997510023c638c6121c46c58eeb421ff7e0d9e687e4f9b55f4b7e0cba192b7d6c7e0502978652d6af0f9b99ababde79ce9903bbd04b245f44980

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
64KB

MD5
526b41bbeabebfc783f9911e29708344

SHA1
c95d7323e191fda08ff9da1c36cd075e24ddec95

SHA256
b9a0224e40b2c519ac3fe07660be585db9735585e71559ce6d205acf00455e33

SHA512
6d56aab22fdc642cdd0698f38ffed3dea0c302b30f142861e73837082991bfbc5e54b8e4030d8488ef9eb68ffb97ea67ee3d028fd30856c6aa21fe7a8080f102

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
64KB

MD5
ac3a1ef3b3001e1538bf88a31cdc5a8d

SHA1
212abf68b377330107e5c3502e3cf8a9fb18a666

SHA256
d6350325584778dbf899125f34859162c8d7e6c673a9090379723ce64483ec95

SHA512
2791f1fd313c793acf74693841ed64e7fe77054bddeda7136b4dd71f8b8cf1bec21879312a666ce4fbd364a3f7e04ac8d658290d305b829b44b33418f4175dd4

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
64KB

MD5
7d111b753013653fbd752cfa1c0d698e

SHA1
c6a94aa7cd5103f8b0660ca833873489dc3352d2

SHA256
cbf64ba1ca989f6090d63de6bb5d9addda540aee1cd83f69ee9796a753469a35

SHA512
dff4a0bf85f56e4fdfa95f1f33306c0d367d91fdb6b0a5af19ebbbe21505c93083ca02bffce3e03c623817cc93301dabef1547ac8e5863a6967f9ff1f4477c18

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
64KB

MD5
242ba27e3064c2b5c3b714d84d851906

SHA1
9ad01c4ed2736427268d58ca825deb7a67540e6d

SHA256
263576ff5f9e6fc94991ae8a8316db9d09a281bb3ba97a4d74a1d1c1f0978cee

SHA512
20344598b2b2c53387253acd6e1915586807de9b1b8d31bf735ae7423e7bb40ecca942ec91d09d657c29c181336ce1be31fe0e65ebf0ce52fd627b38656bcd39

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
64KB

MD5
0638a7c0b8f74c3758c5f22580a82892

SHA1
a59f592d1bcdd4f6b5a4a62edb0ec091d66e16ac

SHA256
97f573e1539edb076032e576baf97150858300c6b3af6f3e09ba08b150e19cc2

SHA512
0b1b8289061f7333557085a193fdebe7ce553fd4452ede70d2f7d739c988a0344801989daaaed47b9d06103e7464a62601674393ce2a3c5dc567d7ca194cce67

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
64KB

MD5
a46f554ccef7d1018184fb8fbb0b6477

SHA1
06f1e6fa987c30b4a6092a5d6d4142ee26be8c68

SHA256
252a1c7ec03ae7e69f0c50c8181f5ad4ebd84516525fca78a618f1a71bb311e3

SHA512
ce5a201c656d38ac1478afe1c044866f7d605e475b41311b7012765fc47fcf5d08230bad84d60142b2bf1252c73912077a5a1494c932f62b88b850e4ff86b15e

Download Submit
memory/312-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/312-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/556-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads