berbew | 2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Size

448KB
MD5

cdc2f8c4bcb40612c4e0699b0217c8f0
SHA1

0538d860bf81b9e662b49ee03609cdaf1088990a
SHA256

2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041
SHA512

d75862cdc2b541ec6557517ac30df918e65af8e8539f2d130601c729862d014815407d04ea8fabd33e381f2f610aa40f95c84214cd9fc08e8b35155200883176
SSDEEP

12288:zckqjF4f/GyXu1jGG1wsGeBgRTGAzciETdqvZNemWrsiLk6mqgt:leFoGyXsGG1wsLUT3Iipt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhofnpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blnjecfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bemlhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bflham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnjecfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjfqpji.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 26 IoCs

pid	Process
3708	Pbddobla.exe
600	Pbgqdb32.exe
1444	Pcfmneaa.exe
1612	Pomncfge.exe
4996	Pbljoafi.exe
4016	Qejfkmem.exe
2188	Qkfkng32.exe
2732	Amfhgj32.exe
2088	Abcppq32.exe
720	Abjfqpji.exe
1248	Aidomjaf.exe
1060	Bfhofnpp.exe
2828	Bppcpc32.exe
2940	Bemlhj32.exe
3416	Blgddd32.exe
2584	Bbalaoda.exe
4264	Bflham32.exe
3600	Blnjecfl.exe
1416	Cibkohef.exe
3536	Cehlcikj.exe
436	Cekhihig.exe
3088	Cdlhgpag.exe
456	Cfmahknh.exe
1948	Dbcbnlcl.exe
1852	Dbfoclai.exe
4396	Defheg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	Pcfmneaa.exe
File opened for modification	C:\Windows\SysWOW64\Qejfkmem.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Bemlhj32.exe	Bppcpc32.exe
File created	C:\Windows\SysWOW64\Hlhkja32.dll	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Jknmpb32.dll	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Bfhofnpp.exe	Aidomjaf.exe
File opened for modification	C:\Windows\SysWOW64\Cibkohef.exe	Blnjecfl.exe
File created	C:\Windows\SysWOW64\Cehlcikj.exe	Cibkohef.exe
File created	C:\Windows\SysWOW64\Dbfoclai.exe	Dbcbnlcl.exe
File opened for modification	C:\Windows\SysWOW64\Defheg32.exe	Dbfoclai.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Bfhofnpp.exe	Aidomjaf.exe
File opened for modification	C:\Windows\SysWOW64\Blgddd32.exe	Bemlhj32.exe
File created	C:\Windows\SysWOW64\Bflham32.exe	Bbalaoda.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Defheg32.exe	Dbfoclai.exe
File opened for modification	C:\Windows\SysWOW64\Pbljoafi.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Amfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Abjfqpji.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Idcdeb32.dll	Blgddd32.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Kfhfap32.dll	Abjfqpji.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Abjfqpji.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Aidomjaf.exe	Abjfqpji.exe
File opened for modification	C:\Windows\SysWOW64\Aidomjaf.exe	Abjfqpji.exe
File created	C:\Windows\SysWOW64\Boipkd32.dll	Bemlhj32.exe
File created	C:\Windows\SysWOW64\Midbjmkg.dll	Blnjecfl.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Pbgqdb32.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Hjjmaneh.dll	Bfhofnpp.exe
File created	C:\Windows\SysWOW64\Djbehfpe.dll	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Pbddobla.exe
File created	C:\Windows\SysWOW64\Cekhihig.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	Cekhihig.exe
File opened for modification	C:\Windows\SysWOW64\Dbcbnlcl.exe	Cfmahknh.exe
File opened for modification	C:\Windows\SysWOW64\Abcppq32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Abdagi32.dll	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Cibkohef.exe	Blnjecfl.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
File opened for modification	C:\Windows\SysWOW64\Cehlcikj.exe	Cibkohef.exe
File created	C:\Windows\SysWOW64\Cfmahknh.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Ldbeqlcg.dll	Dbfoclai.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qejfkmem.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Bbalaoda.exe	Blgddd32.exe
File opened for modification	C:\Windows\SysWOW64\Blnjecfl.exe	Bflham32.exe
File created	C:\Windows\SysWOW64\Ndfchkio.dll	Cibkohef.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
File created	C:\Windows\SysWOW64\Pbljoafi.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Ipekmlhg.dll	Bflham32.exe
File created	C:\Windows\SysWOW64\Ladlqj32.dll	Cekhihig.exe
File created	C:\Windows\SysWOW64\Pcfmneaa.exe	Pbgqdb32.exe
File created	C:\Windows\SysWOW64\Doklblnq.dll	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Bemlhj32.exe	Bppcpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bflham32.exe	Bbalaoda.exe
File created	C:\Windows\SysWOW64\Blnjecfl.exe	Bflham32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1784	4088	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhofnpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cekhihig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blnjecfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfoclai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbalaoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhfap32.dll"	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladlqj32.dll"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbeqlcg.dll"	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boipkd32.dll"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bemlhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfchkio.dll"	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Defheg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjhlh32.dll"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjmaneh.dll"	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdagi32.dll"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bppcpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmglfe32.dll"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhofnpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekmlhg.dll"	Bflham32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abjfqpji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Defheg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbolk32.dll"	Bppcpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcdeb32.dll"	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cibkohef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfgoq.dll"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll"	Pbddobla.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3708	3004	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe	89
PID 3004 wrote to memory of 3708	3004	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe	89
PID 3004 wrote to memory of 3708	3004	2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe	89
PID 3708 wrote to memory of 600	3708	Pbddobla.exe	90
PID 3708 wrote to memory of 600	3708	Pbddobla.exe	90
PID 3708 wrote to memory of 600	3708	Pbddobla.exe	90
PID 600 wrote to memory of 1444	600	Pbgqdb32.exe	91
PID 600 wrote to memory of 1444	600	Pbgqdb32.exe	91
PID 600 wrote to memory of 1444	600	Pbgqdb32.exe	91
PID 1444 wrote to memory of 1612	1444	Pcfmneaa.exe	92
PID 1444 wrote to memory of 1612	1444	Pcfmneaa.exe	92
PID 1444 wrote to memory of 1612	1444	Pcfmneaa.exe	92
PID 1612 wrote to memory of 4996	1612	Pomncfge.exe	93
PID 1612 wrote to memory of 4996	1612	Pomncfge.exe	93
PID 1612 wrote to memory of 4996	1612	Pomncfge.exe	93
PID 4996 wrote to memory of 4016	4996	Pbljoafi.exe	94
PID 4996 wrote to memory of 4016	4996	Pbljoafi.exe	94
PID 4996 wrote to memory of 4016	4996	Pbljoafi.exe	94
PID 4016 wrote to memory of 2188	4016	Qejfkmem.exe	95
PID 4016 wrote to memory of 2188	4016	Qejfkmem.exe	95
PID 4016 wrote to memory of 2188	4016	Qejfkmem.exe	95
PID 2188 wrote to memory of 2732	2188	Qkfkng32.exe	96
PID 2188 wrote to memory of 2732	2188	Qkfkng32.exe	96
PID 2188 wrote to memory of 2732	2188	Qkfkng32.exe	96
PID 2732 wrote to memory of 2088	2732	Amfhgj32.exe	97
PID 2732 wrote to memory of 2088	2732	Amfhgj32.exe	97
PID 2732 wrote to memory of 2088	2732	Amfhgj32.exe	97
PID 2088 wrote to memory of 720	2088	Abcppq32.exe	98
PID 2088 wrote to memory of 720	2088	Abcppq32.exe	98
PID 2088 wrote to memory of 720	2088	Abcppq32.exe	98
PID 720 wrote to memory of 1248	720	Abjfqpji.exe	99
PID 720 wrote to memory of 1248	720	Abjfqpji.exe	99
PID 720 wrote to memory of 1248	720	Abjfqpji.exe	99
PID 1248 wrote to memory of 1060	1248	Aidomjaf.exe	100
PID 1248 wrote to memory of 1060	1248	Aidomjaf.exe	100
PID 1248 wrote to memory of 1060	1248	Aidomjaf.exe	100
PID 1060 wrote to memory of 2828	1060	Bfhofnpp.exe	101
PID 1060 wrote to memory of 2828	1060	Bfhofnpp.exe	101
PID 1060 wrote to memory of 2828	1060	Bfhofnpp.exe	101
PID 2828 wrote to memory of 2940	2828	Bppcpc32.exe	102
PID 2828 wrote to memory of 2940	2828	Bppcpc32.exe	102
PID 2828 wrote to memory of 2940	2828	Bppcpc32.exe	102
PID 2940 wrote to memory of 3416	2940	Bemlhj32.exe	103
PID 2940 wrote to memory of 3416	2940	Bemlhj32.exe	103
PID 2940 wrote to memory of 3416	2940	Bemlhj32.exe	103
PID 3416 wrote to memory of 2584	3416	Blgddd32.exe	104
PID 3416 wrote to memory of 2584	3416	Blgddd32.exe	104
PID 3416 wrote to memory of 2584	3416	Blgddd32.exe	104
PID 2584 wrote to memory of 4264	2584	Bbalaoda.exe	105
PID 2584 wrote to memory of 4264	2584	Bbalaoda.exe	105
PID 2584 wrote to memory of 4264	2584	Bbalaoda.exe	105
PID 4264 wrote to memory of 3600	4264	Bflham32.exe	106
PID 4264 wrote to memory of 3600	4264	Bflham32.exe	106
PID 4264 wrote to memory of 3600	4264	Bflham32.exe	106
PID 3600 wrote to memory of 1416	3600	Blnjecfl.exe	107
PID 3600 wrote to memory of 1416	3600	Blnjecfl.exe	107
PID 3600 wrote to memory of 1416	3600	Blnjecfl.exe	107
PID 1416 wrote to memory of 3536	1416	Cibkohef.exe	108
PID 1416 wrote to memory of 3536	1416	Cibkohef.exe	108
PID 1416 wrote to memory of 3536	1416	Cibkohef.exe	108
PID 3536 wrote to memory of 436	3536	Cehlcikj.exe	109
PID 3536 wrote to memory of 436	3536	Cehlcikj.exe	109
PID 3536 wrote to memory of 436	3536	Cehlcikj.exe	109
PID 436 wrote to memory of 3088	436	Cekhihig.exe	110

C:\Users\Admin\AppData\Local\Temp\2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe
"C:\Users\Admin\AppData\Local\Temp\2d94df11a940e906904a7cf284746b3191cb4d5d2bfba9c18142b2af89cde041N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Pbddobla.exe
  C:\Windows\system32\Pbddobla.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\Pbgqdb32.exe
    C:\Windows\system32\Pbgqdb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:600
  - - C:\Windows\SysWOW64\Pcfmneaa.exe
      C:\Windows\system32\Pcfmneaa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 412
        29⤵
        Program crash
        
        PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcppq32.exe

Filesize
448KB

MD5
19bea6eed4b2109d65407191e477f327

SHA1
b4a4fdc8d5860aee5d1896c2bc73abc182cffae7

SHA256
6fb376bbcc04561fa5edf8b1c1ee75e9aec64b5df00b8795a31d003e279017ba

SHA512
3548a0273d1a7b009a512cc0c7f446af2ce7feadcfac13f0d7edec1a62dceae92f7a23f8d0164e8aac88619a1e0a290d03821e736807a65a879023c7400dae03

Download Submit
C:\Windows\SysWOW64\Abjfqpji.exe

Filesize
448KB

MD5
552d96df484b66806618fe27fc31d268

SHA1
54075d70b8561cb3c41275a142553e2130e0aa88

SHA256
8301193144af9a65eac3922d9c237c863f2055caeaded705b1121078a056f750

SHA512
25067bf0d13b5e4da57a98e8ca8e0cb2d458708e8e92a9e63ec984b71a77045571a9d2adb3dfe817e6ea60504bbef660875c38aec841511f14d7d7f17370ca54

Download Submit
C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
448KB

MD5
20705aae874f2c1b1f0a64121ab109b4

SHA1
0e7e6557c952e6f52ffbb35e58e97b65c7224c3c

SHA256
b1d3172b4867e5e04582f34a3da6c313206617dd513f8e61af9db051df492089

SHA512
0ef37b26935a28708ae28bae26d0f030a75478c6a4c3c230e55110e201d0fb65a30a98c859c487a17ecf962b5c9015ea9e889d6d7fe90dd586151d2913897870

Download Submit
C:\Windows\SysWOW64\Amfhgj32.exe

Filesize
448KB

MD5
fcd5555894cde6be9d5a779ebb39faae

SHA1
97fec55a0610a21bad79f47d14d383f4ccbc63c1

SHA256
81a5812853ba6d5b26867c76dbbe69fa6e75b3103dc56566dd3ae8289ca9e5e9

SHA512
c0af634651ccd7f2d29b03c66c5e063bdf4ab6a4b195e81163e3af039f6b1fefa0abb8ce598b5934096e6f0219a6e3901c32d3d8b4affa56e52b7fadad86832d

Download Submit
C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
448KB

MD5
89001f6cb051c895e09c1647a7250f69

SHA1
554f43db800dd9a31a628ed01033c525f6cdb7c4

SHA256
dddb523da7e48c11aa41da75da1351b3b62697b2f9e47436e2e0676d80b55baa

SHA512
17b0cdbf65eb4d8d162c36460c06da31e4631c77483a4c3c235944a34e0d8f4fb111436201bcad1edb8bf70c2b5c64fa58c5f66f8dc9513d0c3e989e40876907

Download Submit
C:\Windows\SysWOW64\Bemlhj32.exe

Filesize
448KB

MD5
71502162df0df23412c7399f0a0e63a1

SHA1
9b95c950f1621f0af96880dcebf5c038423b7ab1

SHA256
e98c8ed8d6ffd2c8b57424ac04a049ec47528c3af49d5c1cc19ae3f1a11836e3

SHA512
f8f951cb1661c01bce033c7f1572b710f7dd8805d271d0072b6a9f645d3b06e68e2fcbcb54b1bfabcf629853d8532ca57e4f9765c5b1c511dff886d31bfb026e

Download Submit
C:\Windows\SysWOW64\Bfhofnpp.exe

Filesize
448KB

MD5
194bdec70d1b44a68c965320dba52449

SHA1
fab980e0fe4b9318bca7d5bd058cbda286b3741d

SHA256
fb328d366b1baec23414a5ced37a8e41b0418d0787de07f8982ca25ae5ccdb2d

SHA512
f2287827a020f9171e62d402c3c9d467dd598fc631498c1fceffc330d7cdb1e5c66c2e490e197eedf08dcdce12d52713f2e598acd0ba977ab592a91f00ad703c

Download Submit
C:\Windows\SysWOW64\Bflham32.exe

Filesize
448KB

MD5
8854ed2c6c55154e60ac0c914e744ad9

SHA1
8b30e5e62c0ea52ab6f84a4e67694409dfde630d

SHA256
120186fda2bb68123f2c04ab1bc861c7eca04a0aa91ba83bfdb546dd91c355e3

SHA512
67fa947a273fd24982c30666871e470b01d499e3341485a8e9f3a6f54a9c079597a756ea78be30122a7c9ff79dfca3d56adb0af17a317833a4e34fb3d600bdd3

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe

Filesize
448KB

MD5
8f9d3a12a3e777f667882182452a565a

SHA1
d5ca42234e38ef3fc83a1a5d199cb568d5d205f5

SHA256
e1db1c2a5962a73f7f9eeefccd3b03a0fc1622cb0b62203c134b567d65499545

SHA512
b951efcd8e35c29a910f873d21405a03f363c7198c96c60f538a4cb34100be64ce2622cb7adb6e6e41746d3b9cf388c9b87c36e9bf28c21df414fbb626824b34

Download Submit
C:\Windows\SysWOW64\Blnjecfl.exe

Filesize
448KB

MD5
cf78d8eb0b9a515cd6663ed0807ed13f

SHA1
e34e6216a30899e2ec26f1773bc0bceb3058e26f

SHA256
01156f6d85ef2127e30e5b23b4bcad6e445119310cc3f83fc67fb7a5f9cc04bf

SHA512
ac8dfbf496762b9f33f6057682887a95366c26fde80d4721c0109422522816ed5c4fde733e2f021370857647a5ef4b6a92c1dfcc832aa98c9317140fb2ffb34c

Download Submit
C:\Windows\SysWOW64\Bppcpc32.exe

Filesize
448KB

MD5
794710d2389148a96ce92b7a4ea6ea20

SHA1
8853bfcb0c9d3de04496fabae4e15db468b9e6fa

SHA256
f28c064b67637d3a309150afcfc51df4d79e4b780fb4316fdf6be00354b6d648

SHA512
68f1424fa3122357874eaf0a547bbce0c46773b69eea6460949a8251b09af349b8f77a23033503507d71e49e61a48c0cb6d4a3ebabc84bd2784d54b6b3212f5f

Download Submit
C:\Windows\SysWOW64\Cdlhgpag.exe

Filesize
448KB

MD5
beb044dcea11f901077cb9716c280081

SHA1
cf0bac5ef994d8dc17246225214c7eb28a288c97

SHA256
292357aba8c3b6e5bd38554cc23db767650a92a2037c0b7cd80027ef69a9331f

SHA512
8b670851241ad7294c12107d35eae9ab4270e580e6d3d0a612ca2e51099798ddc29f726f90b463fe1310f659caa0fd1a0dd41c4f4bc8b3ada9e587b1c6940dd3

Download Submit
C:\Windows\SysWOW64\Cehlcikj.exe

Filesize
448KB

MD5
b166ab01061191717376e6df7968376c

SHA1
9ad0ad33083c3079a416d66ffe1a95c7edddb687

SHA256
f2a5ca6ec1d50bc372d3b47a6ee4218a71f38204f3e2462cd19fbec7cdd9b9d4

SHA512
78930b7819c25400cd2703c2e6ebf52ee171443508b42db2a30ad93ec50c6bd2c7dabbdc1c2eddc7062f0a958409c524f061e4a2162675bf366fe5e0bad69b92

Download Submit
C:\Windows\SysWOW64\Cekhihig.exe

Filesize
448KB

MD5
4c0b6a2d314dace998c5c764d3ced855

SHA1
7f5a5ad0c71e7be72bf1c3db7d2ef940a156cf4d

SHA256
153f2dc5a774bdf96457ec09f4026e6dae9aa648ad04dca0e1019f22e9d9bcf1

SHA512
7e4cac764dd75088b7f082e04e21c476eebf8c7cacddf7abb17af015e3e33a69db2d90b7288c85b736bbf93285da085b877ba867a31668bcf9a51dff13769712

Download Submit
C:\Windows\SysWOW64\Cfmahknh.exe

Filesize
448KB

MD5
c209964f39c55bed82faf44818f6b9ff

SHA1
be9514278ab51fdf5f9c4ace26ba97e3411af177

SHA256
61a1ac1ad16a08086ccd48efaec32731338f429ac70e1b190ff1322a53950ed3

SHA512
f46acb6ac221027174e03fd68d1740b6faad961d5b8d3d7db7705a7b0953632cdca64cc4c46e57fba2704bc21b3793e7b20f65956c2dbbb38e1d115f05b78eee

Download Submit
C:\Windows\SysWOW64\Cibkohef.exe

Filesize
448KB

MD5
8c10f15f36e12df04ff23198a5f04eaa

SHA1
a10b85d7dcdbb3cc143ccae91f2266b186de6542

SHA256
c93fe5bbc4c6579007f5a35cacf86f5653d7844d789fb9b2f8415dc4fa6ddb72

SHA512
4afaaa99fa580bff9c5349adecf929c31c9acdf8c10aae647f7f4d3dec89bd97a09d30764a0e3577cbb4c15ac57d4116ad3f19e6d76a950a37f6df4636cfb2ce

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
448KB

MD5
aa074939155d22a88a2c2d5389f08ee1

SHA1
9a8ec2fda6608bbe3d841ffc7eddfb49dad48fc1

SHA256
4630e69cc200c8a2c8ef9aecb176ed8beea6a307a3afea84aa5a1497869cf374

SHA512
de286f71fffc196a75505a4fe1556d8d0c7402a532f9f4fffb6b0cd6c643fa46eb2ddfba0c6ed064d978c4f21bf5bb441bdd7abf2749ffcddf32607195b674bf

Download Submit
C:\Windows\SysWOW64\Dbfoclai.exe

Filesize
448KB

MD5
0c33728b9f6c0874f49c2b6e492bf406

SHA1
ffdaa1d8b1b31265b1bc36b81213dc016eeff4c8

SHA256
b96fd56cf244c3bdba5ba7b57c14eaca8db1a8d46e1e2406aa065df6deedd78d

SHA512
55c53fe84eda1811bcdbb092a49590b8c0e5e1840a2f48294eeb4078cc56d322fc142ee16451f1039efb7d487cf8db7bf0f20730c09b76e6307c9fc39d711bd2

Download Submit
C:\Windows\SysWOW64\Defheg32.exe

Filesize
448KB

MD5
3ca750ae1b8161ea6bed43a97e1ecae4

SHA1
1b2bd9bf4a58363c7e66e0dab20624636f4c56b9

SHA256
6bf1b5dcfe6807c236c7bb8bc519736921bc917a3f8f7bed93bc77812e281861

SHA512
1d4cfda468049c95e4e5ff363775977308ec00febb9a281667afbcce16c3bcda954052ae97e0523db1689e2142ff097fd2c3db165a2fcf548a2bd87856e70161

Download Submit
C:\Windows\SysWOW64\Jknmpb32.dll

Filesize
7KB

MD5
c09b0b350f2f2de881ebf3addb7b9271

SHA1
19aa81fbcf7f52883fb5f5c9f5c7035970e4aba8

SHA256
9f9e92c446f26990882c97d0f08dfb0dd3cf7cc85aba2821c2e49f2757cbcbaf

SHA512
d0d42bd192db2319cc9fea5b5263b72094881803ed795159f59401b62904d0f8d4c557bcad8ab7c058a0115ff92eec74fc5c642c33636b86a84d3989506ff53e

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
448KB

MD5
d50520df6cd0082a04d43b7dd21b2f88

SHA1
ac3913d9faaeeb934c1cf7acf5f3e904561693cb

SHA256
7c17ed342ef1fccbd2e79d58c8b52d021ad62513ade5fe6482353f206cb60847

SHA512
1eb672755438170fc24dd0a69af5888899709e73a3aeed9260c72dd86c2f4142135c0c2dfe642371871321c576547815ecd16244fac0e3e8bb987ce4368a185a

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
448KB

MD5
3db6b98b46c2ba585259946e59362ced

SHA1
1bcedc15a4e807f43d9b4196dc0a9f17c182001f

SHA256
edc83512cdea17f18e9e1a01126d539b5d82c1b0e322c244ede14ffd68d00f9b

SHA512
d6c50745f2b3fa5ea334f3d1799ba9a240f7a32499d4f4a83ad132a6d481d6e10feba91b8ac7095fea14efcfd1aed49e2da70b0db2b2f12501e830c6095e9786

Download Submit
C:\Windows\SysWOW64\Pbljoafi.exe

Filesize
448KB

MD5
6fd221b0cca4e3f6156eb72478e5d938

SHA1
c0b9c23ef400cecd29b067d5a3a7a220cb909ab2

SHA256
86ea452ff850652963bf1e82153136591a99ae1071fc31f9653dbc8db45a50d4

SHA512
2b39b1ab875cfa118875eb76eb4350b7d35580b06456c1326d074e8c3282b9cb9d0181d6bb04eee94357b7f957772b5f4660aa2604f4cce7bda138e0dd344ac3

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
448KB

MD5
02da44d0df57239ddc083d34bd591140

SHA1
086b82c81429c1ec19bdacfcdbbec2a4dfa40799

SHA256
54abf3f55b3582f7fcb0e1e832df041fb0109b6b3ba854c7d6d26cd464fbeb6f

SHA512
35d3d57164ccd2d768ac16f098b3ad9d87dba33634cb237411a4ff607dea779d35747ba803270f4cbd57ae393613b6697ee9d921f34f0eceaae08cafa9c80fd3

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
448KB

MD5
02fb9b9a33b404da75d7b48f925f1657

SHA1
7cf860b52e1e22d47cd61dcb5476b5f884d44042

SHA256
d15e4ad622cbf55ccfc56f0fa7c4fbcc8988f303c41dcffe5975747e9246e7ef

SHA512
176598b4907ffa29816ad362ba6eb0d826cf1c3237875bb82ec8515ad681506a46b8626405ee9e4a197cf29175479ec4468333ac2616599781eb94dc10ad1726

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
448KB

MD5
12e1c2375b1ff568976a9147b1347c74

SHA1
00a05f7d0af9bbc38c4b030063977a7833e0877a

SHA256
80aaba5ed9b56343af65be0a4384e0d8a9c07a01ee6ff25772202356282cc3f6

SHA512
f326d5832cbcb27e4d4a8601f5409cd0080a55512fe343d9176d757d4ba0c7f3bfd7bf9815ddd462e4c289ae8baf14e76d0a965a836ba4c07225dcb2361db855

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
448KB

MD5
dd3e79fb927a5e59c3c244f1ef46a8f8

SHA1
d189da0de6289cb53e34c7677670105c600cb89a

SHA256
0cba91eb89d86f707838f11841ba53a60232ca8de5340b5a3a1f7dc032ecbc3e

SHA512
63b0fa8c678ba2104ba581a3812149950709eb8eb41fe3d61905a36402354c6686673266614e849a00b8974de4cfaef12723672c1495aae51c08cb6cf7f8c77e

Download Submit
memory/436-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/600-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/600-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads