berbew | bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe
Size

322KB
MD5

c183e0179d33bbc8841bb98906f505b0
SHA1

e3210cb6ee8f7fae47f65942eb3400fcf6578b98
SHA256

bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627
SHA512

01b2bd9560ae7d71dac25f3a1e1b23b18cb30ef6d8e1da40bfc614a3ebc0ff5e3e1ec71db744627c77df8ef493aa0ab252e00ecf42042086c59913c0c2e50e61
SSDEEP

1536:eSdsyvFMBSf6eDIOphQj+v6EAxfhX7NjgL9MhARQJTmDhdF+PhJFTq1dlCsTx4LB:eSzq2hIOs+SdpLNjgLyhAeJSVGZ3Odl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4272	Pnonbk32.exe
2236	Pqmjog32.exe
3504	Pqpgdfnp.exe
3412	Pncgmkmj.exe
2320	Pfolbmje.exe
1008	Pqdqof32.exe
4200	Qnhahj32.exe
4612	Qjoankoi.exe
5004	Qmmnjfnl.exe
1076	Qcgffqei.exe
1288	Acjclpcf.exe
2156	Ambgef32.exe
688	Amddjegd.exe
3700	Aeklkchg.exe
1640	Ajhddjfn.exe
3124	Aabmqd32.exe
4500	Afoeiklb.exe
4700	Anfmjhmd.exe
3920	Accfbokl.exe
4556	Bfabnjjp.exe
2396	Bjmnoi32.exe
2256	Bmkjkd32.exe
1276	Bagflcje.exe
2660	Bebblb32.exe
5112	Bcebhoii.exe
992	Bfdodjhm.exe
1416	Bnkgeg32.exe
3664	Bmngqdpj.exe
2436	Bgcknmop.exe
2128	Bjagjhnc.exe
4688	Bnmcjg32.exe
1664	Balpgb32.exe
4284	Beglgani.exe
464	Bcjlcn32.exe
1444	Bfhhoi32.exe
4028	Bjddphlq.exe
4848	Bmbplc32.exe
4716	Banllbdn.exe
3056	Beihma32.exe
4504	Bhhdil32.exe
4560	Bfkedibe.exe
4384	Bnbmefbg.exe
224	Bmemac32.exe
3384	Bapiabak.exe
3420	Bcoenmao.exe
4512	Chjaol32.exe
3312	Cjinkg32.exe
5036	Cmgjgcgo.exe
408	Cabfga32.exe
4728	Cdabcm32.exe
3248	Chmndlge.exe
448	Cjkjpgfi.exe
2360	Cnffqf32.exe
3300	Caebma32.exe
1596	Cdcoim32.exe
4360	Cfbkeh32.exe
2948	Cnicfe32.exe
4296	Cmlcbbcj.exe
3468	Ceckcp32.exe
4784	Cdfkolkf.exe
2324	Cfdhkhjj.exe
228	Cnkplejl.exe
4412	Cmnpgb32.exe
2712	Ceehho32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qnhahj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5252	5156	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4272	4100	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe	83
PID 4100 wrote to memory of 4272	4100	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe	83
PID 4100 wrote to memory of 4272	4100	bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe	83
PID 4272 wrote to memory of 2236	4272	Pnonbk32.exe	84
PID 4272 wrote to memory of 2236	4272	Pnonbk32.exe	84
PID 4272 wrote to memory of 2236	4272	Pnonbk32.exe	84
PID 2236 wrote to memory of 3504	2236	Pqmjog32.exe	85
PID 2236 wrote to memory of 3504	2236	Pqmjog32.exe	85
PID 2236 wrote to memory of 3504	2236	Pqmjog32.exe	85
PID 3504 wrote to memory of 3412	3504	Pqpgdfnp.exe	86
PID 3504 wrote to memory of 3412	3504	Pqpgdfnp.exe	86
PID 3504 wrote to memory of 3412	3504	Pqpgdfnp.exe	86
PID 3412 wrote to memory of 2320	3412	Pncgmkmj.exe	87
PID 3412 wrote to memory of 2320	3412	Pncgmkmj.exe	87
PID 3412 wrote to memory of 2320	3412	Pncgmkmj.exe	87
PID 2320 wrote to memory of 1008	2320	Pfolbmje.exe	88
PID 2320 wrote to memory of 1008	2320	Pfolbmje.exe	88
PID 2320 wrote to memory of 1008	2320	Pfolbmje.exe	88
PID 1008 wrote to memory of 4200	1008	Pqdqof32.exe	89
PID 1008 wrote to memory of 4200	1008	Pqdqof32.exe	89
PID 1008 wrote to memory of 4200	1008	Pqdqof32.exe	89
PID 4200 wrote to memory of 4612	4200	Qnhahj32.exe	90
PID 4200 wrote to memory of 4612	4200	Qnhahj32.exe	90
PID 4200 wrote to memory of 4612	4200	Qnhahj32.exe	90
PID 4612 wrote to memory of 5004	4612	Qjoankoi.exe	91
PID 4612 wrote to memory of 5004	4612	Qjoankoi.exe	91
PID 4612 wrote to memory of 5004	4612	Qjoankoi.exe	91
PID 5004 wrote to memory of 1076	5004	Qmmnjfnl.exe	92
PID 5004 wrote to memory of 1076	5004	Qmmnjfnl.exe	92
PID 5004 wrote to memory of 1076	5004	Qmmnjfnl.exe	92
PID 1076 wrote to memory of 1288	1076	Qcgffqei.exe	93
PID 1076 wrote to memory of 1288	1076	Qcgffqei.exe	93
PID 1076 wrote to memory of 1288	1076	Qcgffqei.exe	93
PID 1288 wrote to memory of 2156	1288	Acjclpcf.exe	94
PID 1288 wrote to memory of 2156	1288	Acjclpcf.exe	94
PID 1288 wrote to memory of 2156	1288	Acjclpcf.exe	94
PID 2156 wrote to memory of 688	2156	Ambgef32.exe	95
PID 2156 wrote to memory of 688	2156	Ambgef32.exe	95
PID 2156 wrote to memory of 688	2156	Ambgef32.exe	95
PID 688 wrote to memory of 3700	688	Amddjegd.exe	96
PID 688 wrote to memory of 3700	688	Amddjegd.exe	96
PID 688 wrote to memory of 3700	688	Amddjegd.exe	96
PID 3700 wrote to memory of 1640	3700	Aeklkchg.exe	97
PID 3700 wrote to memory of 1640	3700	Aeklkchg.exe	97
PID 3700 wrote to memory of 1640	3700	Aeklkchg.exe	97
PID 1640 wrote to memory of 3124	1640	Ajhddjfn.exe	98
PID 1640 wrote to memory of 3124	1640	Ajhddjfn.exe	98
PID 1640 wrote to memory of 3124	1640	Ajhddjfn.exe	98
PID 3124 wrote to memory of 4500	3124	Aabmqd32.exe	99
PID 3124 wrote to memory of 4500	3124	Aabmqd32.exe	99
PID 3124 wrote to memory of 4500	3124	Aabmqd32.exe	99
PID 4500 wrote to memory of 4700	4500	Afoeiklb.exe	100
PID 4500 wrote to memory of 4700	4500	Afoeiklb.exe	100
PID 4500 wrote to memory of 4700	4500	Afoeiklb.exe	100
PID 4700 wrote to memory of 3920	4700	Anfmjhmd.exe	101
PID 4700 wrote to memory of 3920	4700	Anfmjhmd.exe	101
PID 4700 wrote to memory of 3920	4700	Anfmjhmd.exe	101
PID 3920 wrote to memory of 4556	3920	Accfbokl.exe	102
PID 3920 wrote to memory of 4556	3920	Accfbokl.exe	102
PID 3920 wrote to memory of 4556	3920	Accfbokl.exe	102
PID 4556 wrote to memory of 2396	4556	Bfabnjjp.exe	103
PID 4556 wrote to memory of 2396	4556	Bfabnjjp.exe	103
PID 4556 wrote to memory of 2396	4556	Bfabnjjp.exe	103
PID 2396 wrote to memory of 2256	2396	Bjmnoi32.exe	104

C:\Users\Admin\AppData\Local\Temp\bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe
"C:\Users\Admin\AppData\Local\Temp\bad43ff7e442740fc617c627189d00a924d1b57a76a1580710cee6278b3a5627N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\Pnonbk32.exe
  C:\Windows\system32\Pnonbk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\Pqmjog32.exe
    C:\Windows\system32\Pqmjog32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Pqpgdfnp.exe
      C:\Windows\system32\Pqpgdfnp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        50⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        51⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        77⤵
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        87⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 408
        95⤵
        Program crash
        
        PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5156 -ip 5156
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
322KB

MD5
5bdb8d8b3978629b31f4bfbbcc6b0be9

SHA1
e66c3c522bf8a0eb26b77edae51c0d5a0a3af3ec

SHA256
5644154b347dbca3edc44e22e35b67746c0296d329a8adaa75ddb3e7efd328ae

SHA512
6dad755c26a359317c9fe2368384924289ca8488bcbd31b77d7796441ef2a7cf4d1d63188947b9a8ee35b40b68cbf1d52f1b94a290a6119e1725d754e79f3756

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
322KB

MD5
f4a1f3606f33c7076da5a97fb3c8add4

SHA1
c8269d9b071a8fce0a3cf53dab8e80cf41d4a7ca

SHA256
849f1108f34adc385a0c86ab30d3381a9ea005d1d383d4bc47d213ca0edf74b0

SHA512
3e92a9f442843852675f1e17253839a02aecb49278e0d2520eb979575f38fcc6d3fc68a3e491ff30151f03ea0886272b411c954885c6641c78ff23a2aab3f2c1

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
322KB

MD5
e6e9484ed260435cf282b65841d8d841

SHA1
37670e33f17dd06b5cd47d4fa962d411784637dd

SHA256
8febef1a2bb6e0552952d98e079d2432be7837b62caf8203685d90221b22f10e

SHA512
4907e69db08bf469198d901416e9012464699ddb0f6f5009cc651e2a39dc217af32836b718c8b3bcadf1a0b4305c375e11db0b36af209e59386eeefc0cf81daf

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
322KB

MD5
462f9256728fb546d8ced114e8fd1df9

SHA1
cdb8bd29ae1942d3147f28e4f44498c5149e3e9e

SHA256
5a2fa3b2ce2ca2b4a4da32416c806cbd5d61182b5c02cc47fa997931a7789e41

SHA512
ddfbbe767c7c67cfc1b4f7d7170952f8af1702d9476c19220922d3ca17efd9e8615340d6bd1c50120781d68fbcb9f933fe98810d0a2d95fd6908383b56554431

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
322KB

MD5
a26d5390dfdb7bbb9fec8a76c6b6e222

SHA1
99973446091d4ef463402d75bd9ee7204f4039ac

SHA256
593994cc447a17d8f7c10c54a54a4bbc23444f72951dd3c799eb497700253f27

SHA512
d6d5cc597521ac1e79b64bf6f62d450302bfd256137deccc1167d955dfd40b673dec9d8a8d3563c37ebe1630cada87299b1f0e20a5728ba61aff33698080e92a

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
322KB

MD5
76e7144da6f3ba02d559c20e5612fa3a

SHA1
5f8bfab0c738f859ac47a7e32f4368e8d0300f71

SHA256
1b8ba07697f9d91b43de73012766172ce831828955e3b1451ea78659fb9cb0d2

SHA512
f305fad1d7f98085e4282b1b6aeceed6f71f7b91bd9302ed9782f30be8a4ceaf09bb8ccc00e9d1c67e5e307dc634c1e168ba0caaaaf861046d962b535316417d

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
322KB

MD5
58b08bbfc259127bb692b082b076589c

SHA1
a46fe4295b72299a7c6481d6105dd2fc445c70f1

SHA256
4c152e974260f6113e112d643e29ee62933e3087049852e238d8e5190922d970

SHA512
62d8a242b3f4b1aee4906992333478a98eefd7358891b5c59bb862f0a23eddf5aa5303a4e16d7f6f782a713b9cd6c2db95bd5620c0422b97ce8db5a227d27d34

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
322KB

MD5
4ec8dd754c95ed356f729fc8bf4c930d

SHA1
3901a23b8420cc0564dab082bc947a063c5cfbab

SHA256
3e48a30f4775f2fbfe6516f3930993adc5a59a78767946149f1dfb252614c706

SHA512
9679536306420c3846775a30bb97cd23e71c2357260439d8982ef27acc99c935094856e9489a68a494cf14fa57acb14cf8dd030e8c1b59e4ed6b6c83cb07660f

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
322KB

MD5
e3f66ed00f72db7aad99fe5d00de16e2

SHA1
b77d62f857855ab7d34640c1e48351169e33f165

SHA256
ec62a348432aef2fcbb06bc0f2fd842951981dac5544cfbd0bd76126f7ff8e8f

SHA512
cc690da0f4d98600ddca6291327c2d8f0d19a9de057917aa3b2b782780eb5a0927cc88e0001330837d243df121996b9fda64b6ec6cc41740de9124f224e14200

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
322KB

MD5
3f844cb8f9e2de2698d2dff1c7c6d6a3

SHA1
3df78533169b0474a23b2560c5d88d06f36750d0

SHA256
80d3b4e995d850ee0912f0acc668b075dfa313c909c4bb3f94f99c01b4edcbae

SHA512
ad7d65fbbd32e110b1c7e57b3be4a56c6bacae5fba8f6db0fb7702e1d6f7fea4f54bdf964f018ebc14fdeb520c5f341a89896bdd0e15131fbcb5243e01f786a4

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
322KB

MD5
d61fcecb625a391e10828829d985421c

SHA1
91e3810ca0d40da7bf7401558764c32a458f4b5c

SHA256
3ced21ff0eb09de660ad9f8c1b5e2d6fda603b1cc6586b0cbd835049f9f504c2

SHA512
b4f3f328f53f1f4a88c5752c74211af6e4595e56b0f52fecda61b1307a2e92b0949babcd0f56ed78002b3ed3b2efd2d377e3832547f66f567753ecac72ec90d4

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
322KB

MD5
a5291b767ecda4336efb41cca4f5061e

SHA1
59cce8abf1113bb1418a035207ca0463ab7ef56c

SHA256
801156a84d9c85c093d56598290bd0276142ee79b4e7a9ee7a01b128814f2d70

SHA512
aba7086efd9776e15ea7977a489a49f0281996329a9af32203b139428f6613021ecf7240763e3d4aba97e409b9fab557efcd00eaeed40646ec073217b60e17a8

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
322KB

MD5
b3253b11899c73b31654eaa03cec8317

SHA1
66e6ffa6cbe4f3d4b353403ae76b59334aa23569

SHA256
67e03ae7292cf3af5ebe742032d71d8bd2623a7eed198519c95d30f1a4b0919a

SHA512
1f1f38a49379161ca8db62b4e756ffd72eb933667f99ffe604f6fc91916e8356d8b4c107395b2284726cd6a154dd3ad44f09818e14ad19b47639d3d42bbb65c8

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
322KB

MD5
9474c6e0d5773c7f8d436234a5aff695

SHA1
d577280ddc2e4bd769a3ecbb34851589537ca32c

SHA256
39641a3b05c694187097a81f3839de544fd23fa8add65d99fc4da3783c6a68dc

SHA512
9f5b6790835740f3011ae07f1a45100df5bc9931d1a77643fbbf254947103a63250d052ea64cf3a64f0ab219a67340feacb9bb2fed6126ff6b0ee2444e813559

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
322KB

MD5
2d171b0bea28a136862336d98c5d337b

SHA1
ce2fcb29b788ad6dfd8484370094c5940378515d

SHA256
e00580fe9d33c8017cb9cc5da86d80b56f1fc6866b2a9509742f3345eb0b5003

SHA512
d9db91087d4f558b5639739525ef3367c26aa8cb2162b8f5a050b47e2c6aa909b9e23e5b9499574a48b9f241834de8ccd237883757c1ad899ca0bb4e80e5cb0d

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
322KB

MD5
9b6ffac2bd8c8e5c7d939c321114c71a

SHA1
2f910285d20a791071342aef0a633d65c4a1ae88

SHA256
5bf5a09ae969a1f897579f97287fba100e351d8e78489a732c5c075496d2c8c2

SHA512
d49521ff453117b94cdd189c1976ca2b42e501c34f2ccbf1fc578d80593d62febbda1d22416e57b95fdfee73cd7e7720645b02bf06f32b219eef598592d4dfb4

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
322KB

MD5
06bfad9f01c40871adc75ac9d030961d

SHA1
b09ce6f1e4471e67f351ebc574951221bbc0d42d

SHA256
04cc499ea839008a7920eef8d977d67e7d362fd09b47b8deb1680218e66da029

SHA512
713d8cc5954d87537d1c4f4e3aca9010205ed593e0bfafa7d69487e1f926fbe70bc0bd834e5ce4b797d9692316562848c7e35d3f5373fa00df09044a3ce61e55

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
322KB

MD5
45ef82d691155805952f5c0064c6e446

SHA1
310f9e6582471a18c27e20729c00e89df95abd6e

SHA256
131bb3a7ebb0c7f628c1c6dc205daf747013dfcbee5aa6e5651aa583bffff60b

SHA512
995b86d2e11ee7399dfe0fc0f7857ac562d4c207d2592c4c6d1932f5872737e8a8a18fe57fcb4404c30e14823d43202309223fe054775b13fa55bb307c95bed1

Download Submit
C:\Windows\SysWOW64\Blfiei32.dll

Filesize
7KB

MD5
3d6bf92e20f3d0dd61d717fb1c281cc3

SHA1
334e1f1990bb7625ab43d8547791a46a00085873

SHA256
8d0be5ad637b0add8edeb7d3d9636ba14f3a071ac63fffd45ae7218202569cae

SHA512
84de7083827b71b2bd165d2dec009ad1e86cc699ea12ce536213fd17393b15639594fbd3cd0817b8e992d8e6af5f3ec942fd4bf49c6fd2570626c0766e6d4c60

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
322KB

MD5
dfe39cfa5f42efafd62582431467b78a

SHA1
731d417152a2e7ae2bd283175c459d3c101b9516

SHA256
f3cfcbf61112070f77110fc779d1f91ffc55e1632c20ca137e495363a3d50fbd

SHA512
4906754537e325e5140eeea51e880f26d8f5183cfeb1c62583087e8c96d1c4cc23320040ba4c4543c507a51e0a02fa8968f5162aabaec395cea6c1e5980cf3aa

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
322KB

MD5
af0a22d60d6622c040eaccb6bc91cbde

SHA1
eec484f967bd6b917d01b84e4f6dfe9d9cdebd5c

SHA256
676ec12434829099e8fd679f66432ad44de839d1baaf95a6d5356448ad4d5d1d

SHA512
d15e35aa5fafcddbb3b7bab294b8d50522ca8a16eff840f2dbe6de5ac6f63177dbb0a8d293d01b8cfcea96400983573de62edddfc43cc6e452717bc9e7ba1e5e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
322KB

MD5
26350af2ba3f6e5208aa1ab6a81c4ab1

SHA1
82d6ef8e9f49c338b5ee04c3dfbcc921604c36f3

SHA256
82b363283b55b7653d615326ccef9fa8bf1c143c3009a52c741012c0fe91c481

SHA512
f003cc8e5540846521a3274fddf44c90477b3f66d9ebcdc07244c14d2d8ff1c3c14bca33fde9aeffeb30d4fd34cc4b7b6fabd3de9bf74c98fcd9b406234c1eaa

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
322KB

MD5
da32443fa24bab396909d350526471ac

SHA1
f474f9e1514bc84e740c964018cbeccf9e106b89

SHA256
87d1e820a33cc16528d2dd40a25d0018262c8b5b7507883a0f21b7e92d00739e

SHA512
3b992a1aea88dabc6027a26466a1001694c91412566102501ec2a0499a9f774a96e046ec1ebdbbc4761d7a14c93b26c2d832612b9960df2f448015946702ce8f

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
322KB

MD5
6afa2b9570b594fb6ee40c6f2d81e691

SHA1
1fce0e3f7a6647ee69637534677296aef0590e5e

SHA256
501b597dc0c03751b4b9fb014269b1b2db99a66718d2bf0892d5f7452d058916

SHA512
aca1fd1b6ec4fd44c7a5d41645349ae852d5e992345bbedf744e03ee4e74b903c7a94399e8d80e69371e2a7413eafd8cf0d16052065819a7b9601af3d881d34c

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
322KB

MD5
824afbfc4ff29eaf5edd1529dde04b08

SHA1
ec0a94be2f22f93a8b90ceaad6e65fbeb34775cd

SHA256
a60e498bea44955b815ced7c00c7b390ba80d63d1b1ec5d27a748fb6a3b78349

SHA512
c8be248432337ff9d3db3be0c4a0d46ba0a95ce4d914618e98a3ee74805613faca5c060d66ffd4524b73fac19f04286e514bc8c30516acdd6db6088d81ede396

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
322KB

MD5
5df4cb6f2d12fcd0f194cbffa4e1cd53

SHA1
45659e62b06197b83ec415836ac229cc4229b2dd

SHA256
1367b9a732d04ec6ecc15cb24f98c07c443000436785d06bae3668e30b84ded0

SHA512
a8637b30706cd8cb3c4fd8c4295fdf386dbed2b5bcc4902f1692172f0f91c2cd20042510bfbe8d7ce852cf2e69e15471a34790a98f7c9b342a426046bd1a2558

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
322KB

MD5
12cff50ad57a18be63acfde344bdf8ac

SHA1
1f70600b6b0229563f91aaff1bcebbc34a33d7d1

SHA256
9cddced71c41d500bef5cef1a820bfccf8413167be5239ed7409faa4bba894b2

SHA512
63f33974f5b1a1b83663a0414ad3a840d6d3d6073591a226d2d9c0991478eaf25173e00abba8ab1848bcd1fd7f02c5a61b35c63ccc0d37c26f41793593e85545

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
322KB

MD5
0b466e10bd1d8683cc6d43532ae7c98a

SHA1
15679e4bf21aed789a7632c83d692ff7bb529b4b

SHA256
8f2cf8275e118cd90f3ea1d6d3f3abaca556b004e0ab1d2164cbfe90e2833590

SHA512
5cd22a4598f6668ded29e6bb8d9201d9d9a66a9568ca33f918e9ca13b817d10141d907ccc0644f88674371334678d9bdba20f27be73560f10f0c8fbe14adb773

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
322KB

MD5
4de8cd2f1dd4b504e2d270acf7645ab0

SHA1
03e6c182dae6f82459dca95f343717e93a983e1b

SHA256
fcbe786825a2c762bbb5e9dd7986e3bcb9bcc01c210c686e11946ef19a40417a

SHA512
ccf7ba691fdbcb8f461630ec803cbdc66156c9479b69a469ddf327afd9c8c1f071fab1dc4ca47c6404c4904c10c7d912de360c36caa59957437f07d1458c0a08

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
322KB

MD5
942a03ac36c6407d5038e9425a2cb3de

SHA1
82c7d37db46115d1e6a0e524febe84a65126b5e8

SHA256
72a9d0a51f50bf80b62c93cf143bf92b0c9cb18d52869d700e9c05fc33ee439a

SHA512
148fabb9098a64c6b4571fa373a761c20a7d0706d0483d9791fddf196df3061fc30b08b1c06df5cc8c5f1ae585919cb1a8e8ca5e3fcc8d88ff670dfbcd0bc9de

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
322KB

MD5
4ec2a56d4200cc2517e1b2c14e401da9

SHA1
be62cf043f637063ddf26da2ec11ab390ef3a7dc

SHA256
fbc48b87b0889b717929348b040152396179bfe4f15b4f952d55b0d68e9aa7bd

SHA512
868d852b60ab7f09ef68a9dc675db2fae09ea55a2fd948dbb957823a52c29293a4185ca313cf46bd954bd27a75febd5bd75e360be46cc8d906fa17738ff84ac6

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
322KB

MD5
8cbaf7ca0552e25ad25b0d641598abc3

SHA1
c1a636e9fa24b042df34fef1f02049d76b54656b

SHA256
5348fe4ef053a302fdf8eac5a941df69b6af397c2eb474c9c9868b024ba51f77

SHA512
bbf6f2b8df2bb5b924e9f75637e9c63048dbe08b3dbdd5ab95b8e631db75a73e552550af1276751e14fb05865887b98bbed3ef5326326ae4c5c52b4640b83b99

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
322KB

MD5
81ebb34458dfb8329d43cc0d7c15a498

SHA1
0171601817ca770d6551a8ea3fbba34fae520f40

SHA256
aafc967c5102ba946b86d5092934a8e8ff8a5454ebd402b7941fa3fb609782ae

SHA512
059816aa01906e771081095716b5dd1ba0ea84b3d83aeb54c201c3237fc25b38858dc631f72d47a2536cacecad91af3da2bf816776b12c6ba05a84f793d081d8

Download Submit
memory/224-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/492-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads