berbew | 3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe
Size

276KB
MD5

b005e1746e629b148c32295aecdf805b
SHA1

264c91d2c834ae9be8f908da2bb0b05397815cbe
SHA256

3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6
SHA512

862bef606e155cbdb9c93f1b13a9f2785f1b413cca5d36c95cf7e6488e7a9b1aaa81d65d9819fc8a6b90c7a6856c7e299c5d1452be07ba8a8ce8c5cd462230a5
SSDEEP

3072:ltcY30L9O8DwgN5F4e4dv2w2eS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDry:H+Oew9dv2w2dZMGXF5ahdt3rM8d7TtLe

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4540	Olhlhjpd.exe
1124	Ofqpqo32.exe
2828	Odapnf32.exe
4384	Olmeci32.exe
3136	Oddmdf32.exe
1896	Ofeilobp.exe
5048	Pfhfan32.exe
2872	Pmannhhj.exe
116	Pdifoehl.exe
2296	Pjeoglgc.exe
1624	Pqpgdfnp.exe
1416	Pcncpbmd.exe
2576	Pflplnlg.exe
4608	Pmfhig32.exe
664	Pdmpje32.exe
4364	Pcppfaka.exe
2556	Pfolbmje.exe
2052	Pnfdcjkg.exe
4604	Pqdqof32.exe
3004	Pdpmpdbd.exe
1336	Pgnilpah.exe
4600	Pfaigm32.exe
2188	Qnhahj32.exe
5004	Qmkadgpo.exe
2196	Qdbiedpa.exe
4352	Qceiaa32.exe
3492	Qfcfml32.exe
4672	Qjoankoi.exe
428	Qmmnjfnl.exe
448	Qgcbgo32.exe
2976	Qffbbldm.exe
4724	Anmjcieo.exe
4516	Ampkof32.exe
3192	Aqkgpedc.exe
3220	Acjclpcf.exe
4276	Ageolo32.exe
3100	Ajckij32.exe
4112	Ambgef32.exe
180	Aqncedbp.exe
1360	Aclpap32.exe
4204	Afjlnk32.exe
2996	Ajfhnjhq.exe
2032	Amddjegd.exe
4092	Aeklkchg.exe
2636	Acnlgp32.exe
3880	Ajhddjfn.exe
4392	Andqdh32.exe
3808	Aabmqd32.exe
4888	Acqimo32.exe
5028	Afoeiklb.exe
3344	Anfmjhmd.exe
4544	Aadifclh.exe
2420	Accfbokl.exe
1020	Bfabnjjp.exe
772	Bjmnoi32.exe
3904	Bmkjkd32.exe
3092	Bebblb32.exe
4844	Bganhm32.exe
780	Bjokdipf.exe
1852	Bmngqdpj.exe
3584	Baicac32.exe
2740	Bchomn32.exe
4572	Bffkij32.exe
1468	Bnmcjg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5308	5220	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4540	3424	3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe	83
PID 3424 wrote to memory of 4540	3424	3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe	83
PID 3424 wrote to memory of 4540	3424	3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe	83
PID 4540 wrote to memory of 1124	4540	Olhlhjpd.exe	84
PID 4540 wrote to memory of 1124	4540	Olhlhjpd.exe	84
PID 4540 wrote to memory of 1124	4540	Olhlhjpd.exe	84
PID 1124 wrote to memory of 2828	1124	Ofqpqo32.exe	85
PID 1124 wrote to memory of 2828	1124	Ofqpqo32.exe	85
PID 1124 wrote to memory of 2828	1124	Ofqpqo32.exe	85
PID 2828 wrote to memory of 4384	2828	Odapnf32.exe	86
PID 2828 wrote to memory of 4384	2828	Odapnf32.exe	86
PID 2828 wrote to memory of 4384	2828	Odapnf32.exe	86
PID 4384 wrote to memory of 3136	4384	Olmeci32.exe	87
PID 4384 wrote to memory of 3136	4384	Olmeci32.exe	87
PID 4384 wrote to memory of 3136	4384	Olmeci32.exe	87
PID 3136 wrote to memory of 1896	3136	Oddmdf32.exe	88
PID 3136 wrote to memory of 1896	3136	Oddmdf32.exe	88
PID 3136 wrote to memory of 1896	3136	Oddmdf32.exe	88
PID 1896 wrote to memory of 5048	1896	Ofeilobp.exe	89
PID 1896 wrote to memory of 5048	1896	Ofeilobp.exe	89
PID 1896 wrote to memory of 5048	1896	Ofeilobp.exe	89
PID 5048 wrote to memory of 2872	5048	Pfhfan32.exe	90
PID 5048 wrote to memory of 2872	5048	Pfhfan32.exe	90
PID 5048 wrote to memory of 2872	5048	Pfhfan32.exe	90
PID 2872 wrote to memory of 116	2872	Pmannhhj.exe	91
PID 2872 wrote to memory of 116	2872	Pmannhhj.exe	91
PID 2872 wrote to memory of 116	2872	Pmannhhj.exe	91
PID 116 wrote to memory of 2296	116	Pdifoehl.exe	92
PID 116 wrote to memory of 2296	116	Pdifoehl.exe	92
PID 116 wrote to memory of 2296	116	Pdifoehl.exe	92
PID 2296 wrote to memory of 1624	2296	Pjeoglgc.exe	93
PID 2296 wrote to memory of 1624	2296	Pjeoglgc.exe	93
PID 2296 wrote to memory of 1624	2296	Pjeoglgc.exe	93
PID 1624 wrote to memory of 1416	1624	Pqpgdfnp.exe	94
PID 1624 wrote to memory of 1416	1624	Pqpgdfnp.exe	94
PID 1624 wrote to memory of 1416	1624	Pqpgdfnp.exe	94
PID 1416 wrote to memory of 2576	1416	Pcncpbmd.exe	95
PID 1416 wrote to memory of 2576	1416	Pcncpbmd.exe	95
PID 1416 wrote to memory of 2576	1416	Pcncpbmd.exe	95
PID 2576 wrote to memory of 4608	2576	Pflplnlg.exe	96
PID 2576 wrote to memory of 4608	2576	Pflplnlg.exe	96
PID 2576 wrote to memory of 4608	2576	Pflplnlg.exe	96
PID 4608 wrote to memory of 664	4608	Pmfhig32.exe	97
PID 4608 wrote to memory of 664	4608	Pmfhig32.exe	97
PID 4608 wrote to memory of 664	4608	Pmfhig32.exe	97
PID 664 wrote to memory of 4364	664	Pdmpje32.exe	98
PID 664 wrote to memory of 4364	664	Pdmpje32.exe	98
PID 664 wrote to memory of 4364	664	Pdmpje32.exe	98
PID 4364 wrote to memory of 2556	4364	Pcppfaka.exe	99
PID 4364 wrote to memory of 2556	4364	Pcppfaka.exe	99
PID 4364 wrote to memory of 2556	4364	Pcppfaka.exe	99
PID 2556 wrote to memory of 2052	2556	Pfolbmje.exe	100
PID 2556 wrote to memory of 2052	2556	Pfolbmje.exe	100
PID 2556 wrote to memory of 2052	2556	Pfolbmje.exe	100
PID 2052 wrote to memory of 4604	2052	Pnfdcjkg.exe	101
PID 2052 wrote to memory of 4604	2052	Pnfdcjkg.exe	101
PID 2052 wrote to memory of 4604	2052	Pnfdcjkg.exe	101
PID 4604 wrote to memory of 3004	4604	Pqdqof32.exe	102
PID 4604 wrote to memory of 3004	4604	Pqdqof32.exe	102
PID 4604 wrote to memory of 3004	4604	Pqdqof32.exe	102
PID 3004 wrote to memory of 1336	3004	Pdpmpdbd.exe	103
PID 3004 wrote to memory of 1336	3004	Pdpmpdbd.exe	103
PID 3004 wrote to memory of 1336	3004	Pdpmpdbd.exe	103
PID 1336 wrote to memory of 4600	1336	Pgnilpah.exe	104

C:\Users\Admin\AppData\Local\Temp\3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe
"C:\Users\Admin\AppData\Local\Temp\3b9bf34d75465449c548dd35fe4bfb89c97331e17b55c2175449434817175fd6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\SysWOW64\Olhlhjpd.exe
  C:\Windows\system32\Olhlhjpd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\Ofqpqo32.exe
    C:\Windows\system32\Ofqpqo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\Odapnf32.exe
      C:\Windows\system32\Odapnf32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        31⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        32⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:180
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        45⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        66⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4212
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        83⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3420
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        91⤵
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        95⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 212
        104⤵
        Program crash
        
        PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5220 -ip 5220
1⤵
PID:5280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
276KB

MD5
2aca0727b24d7e579ae2adc5212a2b7d

SHA1
232482838204ee2cb379042226de1901da865da5

SHA256
231ec204dcd6bd0c0717176f201207bb51d5f050716837d9d01aec16bcd91033

SHA512
2b25afd018521792c07dc93f1aee127212a5be1d66c52a2f8471af05f7c1ea074655824c5ea3df04faf48c8db57b720a9d18cab05802efdf3b3393a1a2cd4d24

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
276KB

MD5
1f01df7d04993fad8f557164d24006dc

SHA1
30e4a7ad2f814790d36924f6c2732b867346d2cb

SHA256
c9dae2aa199637027b1984fa82f91e244e2f1c914d701e6b07b131e3717aaef2

SHA512
df2d170abcff30d44c9cc0b4fc5dd8b6e88712f90fb84c1224ecbc1e0672a825de656ea2c2d6a18c0d347bbe73c4fb6e568fba1a5df44da415bc337ffc57248d

Download Submit
C:\Windows\SysWOW64\Gmdkpdef.dll

Filesize
7KB

MD5
94179a1a92a299a2351a8c5153f9ea5b

SHA1
5717496724764191653f2532b507780c3f57fa6c

SHA256
7fc8f19c33d75cc040476ec6558197a3f1baf091b6afb68b669881bb05065297

SHA512
aeef4efd926547ebeb0dc45e1944fbaf23a98f253f74a22a6b0789bb14026a4d9e6d0a1bd149ac71be5498c333ab6b509ee284809b2ef16487ece31995805a43

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
276KB

MD5
83c21b7a529d2405af4c0ea513b3051c

SHA1
64301a74aa8e5d1e9dcc7919baf433ce6749eb43

SHA256
3d480cdb95e20e69ddb878631e3e2313d897e375891957b7d1a5e627089cec1c

SHA512
9ab8e127ce8b1bf26d0b342b68b13d5b58c1e93beaff54218e18dfd91e9f0878e64da1fbc9b1e7f0638e58bcaa0b2b4d10fe2c18aecdb5937a43ce866d9c0693

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
276KB

MD5
735b43d203f4a6d396c280a6cecec7a5

SHA1
ce55e57a9f889057113947deddda3a04c66e8180

SHA256
26a05e94247ce202e6769ccf34e22b18abda1fc09d7dbb298e9a15ae67eb963f

SHA512
adea860f48b3e4483da5afb9b35c41759f7a4f451a1abfeed995381a156f105a78d0e5bab2dd60e72e89340fece001eb33bf37e2575c65581406443c6ea72c5c

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
276KB

MD5
3cf2a27193e6416bbbbd26295e7a9303

SHA1
f0d4946e3b6134ff818a161ff84ddd01a6c430f3

SHA256
116fb60b41838e0544f2cfe6f1594397d26bfa405d9eed08b16395692abb8eef

SHA512
7edfbfb33ec191268bff44b1c685a4425ba31d1d2446a2b727039bbd8e3e22823aca48e9c2d9fd5d088903152776cd6aeff362dff72ec683c0b345335366145e

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
276KB

MD5
c0a38481dec8ea51866b228e26f696ba

SHA1
ea69609348155ae7b8d0cf3d8b233f6a224b6c24

SHA256
d0252713c6ce7ce7b6c0ec84e7baf46d98994eff3665c13b2d9ac06d2eba3c90

SHA512
7692aa6a6b1484ffaf0bf28686a9a577a4cc43140019fd10165138ba513371f9c78e35cc3a5befdb1666084f642807cfdfa9b5062474093c26e3b0e9779f315a

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
276KB

MD5
29bf00d59a8913f186e4489ff0c8ecb7

SHA1
f1cae5adcf9c6193278da5b3fde73a74db09b3b3

SHA256
2e7a577da59fad6726bbb4f1f6b17ba52de60dbeec97b7bc6c6d05e6f6215dc1

SHA512
8b6cb5e567941e1b3d9a7823def756f1e328f9f1888b3fe598a72e056e8e77374dc1b5e7f8005ccaab9dd84b390e5928e4f134109c0b0bd1f7c23da2fd0dc417

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
276KB

MD5
5ce7b2e870e58f8dc29158d5d2fb1653

SHA1
121ca3d8354e586a8e83afd3413de754c76b9777

SHA256
f3715bfd2f5eb227e0e16cf4697c0554c1ae402d66edb2b3b56bb7d6170385b2

SHA512
a2f76ba1eb7e0b57024e77cc42d52a8fc333906c7b8a9c339db820423bedf818bed7fe59273c5cabdae20dd1d482f9c8cff3b5e8b89d1d232e060d08933cb39b

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
276KB

MD5
db0a422613bcd5a31ad295705012b043

SHA1
dd7a21405394fb3a27bb6fb08b85e2e32dee2532

SHA256
1efbffb29ffb8e226d37b34111b4c74973f193a65f5e8b1847bfd8394b7ab59a

SHA512
e9c14e97289106d45ad059f0009939c60e526f456733806eda57c735dee147a634be33206e0fa5c4aae644682e6b1fd3b7c091d211da74b081cb09e94fe55296

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
276KB

MD5
f3c54a91fc8c0b2389fdd6deb3e19684

SHA1
60a69c3c7d5d190a52ef363f2d40f86c59030f91

SHA256
b4fc3247afad15cd1b99b69f1afe7062429147b37f1a3c717b1fcad55affe8f7

SHA512
767d03ae9ff926f51a5dbba9273a54242449a5688b5c0fda4b677f57b5aa7790dce193471236ccebb349fb404e8ec718248138e1ee9f5429e23315b23583a1c2

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
276KB

MD5
ccf95f7c4be3642034031d9a985c86d9

SHA1
30bcf84c48828f5dfcb9dd6bd1fb3144f3272fa2

SHA256
6bd1430474ea6c55e74b63a801d097d6a8fb128b2ccde487094433c85e62af9f

SHA512
b44509fa2ddf85a15182b70fcfeb2e248396b0e4b292fe7f6acec34ed22caca940c4d836ed572b22c968edcc9396b0bea7deb33709af5622818c251f8c9af4fd

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
276KB

MD5
bbbfb3ef9518e60be19cfb26d796a9f9

SHA1
8ff24a6a349c7b61d8b9a961bf338be8f1dbac80

SHA256
b4ad6e4f7beffea8d728f73244cc4a80924e722ad54482ac796eb8ea0c85865a

SHA512
70a0ba1c194788cb05645ff3fabeaa2d2b1fec140f111708fd6b2be2d77c800b61241971d8c5614805054b085d102a3f65f3e52e6eb13ae40c4e206561798b15

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
276KB

MD5
c22c40e6835d189d80b391b4bee86dd5

SHA1
ece1687ce3fcdfdc3f3473edd51749c23e07f1ba

SHA256
249fe5b206adf8eb37cf0a2655013907afeede7a6d88b139e981ef3c282b2ab1

SHA512
e71a1a3b1ef617cb94e8b263ace70c45df16676246d65d06d4ffa06f3b29ef28c312b9ceeb25f24c8a6d229069fac4abed1aee11e83cc12b82e6b4d553789517

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
276KB

MD5
f84cbca2f6c5d034d38996b10928f497

SHA1
8abc82383b7819c3aac7674953dfc4e6bf345cf2

SHA256
23ba72e6df9929ff7eb9f2e456f2d28ff825d0cee6e6f247ac6d74549033cfb6

SHA512
ad2f4b83a8189b41e63e3dbf81f2c1acb15a2a9b598f541d82aa9ce21875fde41b446a1e58229efaa2e3c4377210b01425a9c4f1b793163d64fd75f8450b891a

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
276KB

MD5
ba462d0f3b35e4f8d105f51dd9d4b67a

SHA1
f842d26ddb787e7658d86777b98115dc0574a9c3

SHA256
f6671d4d0797f9a0999097db2b280298af5a6d8d54b69e391e6c42504f2090c2

SHA512
f82115ec583fd6527ebaed383ce69df71e50459209e35c373918828001b3aa35ce0866ce147ce8fbd50e3fb87dd39c8cc9d9c725272333e20086b163e61e618d

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
276KB

MD5
eb9bd193ae61b6dda5f2f3d88c380f34

SHA1
1074254d1445675c4cd9079104ec7d50d5d65bb6

SHA256
006a8db1f076e1b09ccf586344bbd45e820518caa358d6cb0281fbd1e24030d1

SHA512
28f6f5ceebaf3a578268a29420089360b2094d9a243df10c4b0f3397e11c2b8f74c0f571067d64ff169aeac5f5633a569db9459254cd8856204ef25c2ac579cf

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
276KB

MD5
36754844b559782260f5372ab987d6a7

SHA1
e92dd051494cf5289ad94ce93ec1abd385429639

SHA256
269cd5748e261d67b1b12ba15c58cc0f925ebf55c9d989c5a0b2fea58511a70a

SHA512
84731319a8d61e4293f5d39a843393108e0ab6c1c069e6db4423f6ae921c236384da08a0371f60ad16752c8295a692e55b902c408cba27dd165891e1b9346c2e

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
276KB

MD5
1a0e2fbf9ce779ee94d0be3618a7fe29

SHA1
7bb8fe3e9d00e0dd56ed3aa763aaa38addc6ffad

SHA256
88859d009fef4427daf281439cf59184e0f17e1b61135266da7bd2c0449f1e57

SHA512
43509ea327f1649d71fb448bad24a610dfa4ea5c50ca4b01934fed282e592906a5645283d5d07a24ed4d0608bb382d5cb287da6ab98c179200721d20a1ca139d

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
276KB

MD5
66ce3963ea99acbbd8c39f31952f707e

SHA1
353c3c275a6020215828f5ab776df68b6496b85b

SHA256
897fd51d6e242237a91b5c79e26daf0a6dec4cb5499339314883a0dc569d5807

SHA512
55d2f9cd89a4485d9ba5a0f16909a0d4e0e745a7795f7708b91a4b3cff2644c7e9941faf2bbface204a05a1f0fa527c0137788a873c17757e6912274922e5de6

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
276KB

MD5
141a601f9e9eb08ea90e760a0b4d7f6c

SHA1
e509b7a0e2f056384ddbcadb08d582c6c1489647

SHA256
bd6eec595afddaed5aac37449c350ba34e9390bcfb7b5086d4f0aa323eccafa6

SHA512
c0c202ffe97b4d1531b2472e064c1ced6c39459280f7f2f71c619b7f6c629652543455e95750d28729a83681626695b6689cd3e8d62cdd654f6f056f061cc10d

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
276KB

MD5
761255621e78e5254847b63834ec3e81

SHA1
99cb854be0c05db41f2aa2d922a6636d7ee880dd

SHA256
3cbebaec5698928fc38b780fd337922a4c8f21a8a07470e3f299e7fd9010eaf0

SHA512
cb828ade2fd08a5c41c52d2d0fd497deee4eea3fcc8381f8376a4cb72320dd51c26f013391ffca5b76831ce2a4618f44bb83d7b2dfcaa09ed01efde5f3913db6

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
276KB

MD5
1fcf6c5b6535cdbf75942ecfb43f9300

SHA1
78de86a32c3d662799a8560c53c3458aaa611443

SHA256
e73709e261c630fa7201ce1bd33ed5e6487caff78b422b8de1452c4063dad969

SHA512
4f7fa8e2974fdb1ab5fd1a877c5d723a7999479b86c6b320397753ec24d4f947df9c3c67f3bcfd40ff49b11efc68d306d1f9bdd254e1b939773371624a9b05db

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
276KB

MD5
bdd13fd3d0596daaea9783f4c0818f47

SHA1
f6e3e0ef7e1c1123e12de4817574a1d5f3689d0c

SHA256
baa22e9ed635e20484858fa06d0f150eff37a914b81e41c1c27565efe6ba84d6

SHA512
61fa06dae618d285951cb1c0356c890136e555c22cd79673cd3f4611a703e6de95f392466a03e33796be78e3dfb4812a590134679971b2859915794cfa6f40ca

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
276KB

MD5
c4959d7afefdd0a2f12daeca2cc4c02e

SHA1
d6e34ef2c2d776ce7ab4a9fcc35cd18b297210d1

SHA256
7793a21c1717f010f53e23b9b5ac4e68dc2b5e3e830773ba463b0b8995b2ee0e

SHA512
da54d83c75d984d4d9f9055c76d6c969c76fd7f30681a0d3ae79df92d1094efd86180c89e7cc4cf6517cbc568c0006429f659f01dcef49ec2c66bb5e8a017e94

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
276KB

MD5
8aaca5abb656581d66f41dead290853b

SHA1
615fd1cbede896e6b01c654d88a409e5d3f163b6

SHA256
cab7ee5a500d5b4aba78d220dba17d7ad897f85d594326048860cf039f69eeb9

SHA512
b3af68dc9b26e7412a281caf8f2624580867a416119e6cb08a0fd10c40e7da9b0e519a27d0d922c0d979722cdfeabdf79f32ce1fa5d2d24687efc3d86f6bd2a2

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
276KB

MD5
17580bfea1f03bc98504ed46f1775b18

SHA1
ae2046bca20e1f8699b8b3912f699daa6ab7dc30

SHA256
071986e115fee1765c2a432d58611fc00de7566c1c5c5f0e59b959e1736162ce

SHA512
a979e86d9fb496e6e2ad7d8143fdeca4faea999474238b9ecf5b02750819c318256afc16f2386f75d8feb153734344507b31ffc2be059ab3f172c9f58f4433ea

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
276KB

MD5
5ae013ff40375e2984bd838b649df8e9

SHA1
bcf70d9aff5e63c09cba591c69011bc90012ef9d

SHA256
3741191b1f6d766ae8ae6a521f171f2a281305373513f3e48e8bf71a672b9940

SHA512
30ae1fc838eb27446d9cbb20e8cd31766702388490b501b3b563958218ebd51c7c0705a0eca8fb6442af8e4513e1ea9c13445ccd19cd9ee6f322b1f8211788a0

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
276KB

MD5
ebfd12f171460006ef7906f7a43679b5

SHA1
ed79cd72974b2bb0c382510a9ae7cae06c26f1e5

SHA256
c5178aeaa93088e12fda4284b5225d660d954d423ef99657ff7167abd9e2baa1

SHA512
0d24f55ec621951286abf9e877ead515b6339f5480220eea45b05376b8b695c83be6a9f5b6f6abd80a34257b0eae7d31247d9ac7b5abd8cd3c95659917f0110e

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
276KB

MD5
eccfea0e1d024e15916dad3d87cec40e

SHA1
066eb98143d079327dcc0c99364e09817089728b

SHA256
e9b609a4e065dfe92398b56fcbd6e579b9a6e6c0b91bb0baced1e85f7e54ef95

SHA512
f353dd671e33dc230d26c57c779604560c3b2cfe2107ef4472fe18f6f46b7440b21474b1952a47f2bdf0595ea500fb7239d4c8364e098f44aef4bd40dceb678d

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
276KB

MD5
4de27e066ae48fbe2f7997c43dff6c7c

SHA1
14bbdfc8d4cddbc2fbd580d2d3a4699bbe7322cc

SHA256
d0ed1026dc416129d41abae9619e63782d28499d3ca950c5bfb47c0110407a00

SHA512
0f8d0be760d999f270ac795c9c9379d133b96220affc9efe9a3505b32132a9fd15992ed3857b93b73c4d525e827e64737642aaa412d4b0f04349b1c241f71b37

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
276KB

MD5
c66cdbb57cc61f83c862e720e99d499e

SHA1
1dbebc0e40bd4d199a7f8eae7f6ef2ac2073f315

SHA256
b58018b82ffc813badb903e7b899885798ac0a21e9fff05433110e3ea97a859d

SHA512
baba410d3a871da6585ef7976c77737dff22c5a5e2b40d87b9f7fe573f8689bc166eaddeb494c7d423f98d83269a1bb703f754cfe269763bf5aedfb40a29c08f

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
276KB

MD5
0ee74804b980638ae2a628f85f2e4235

SHA1
3efca629646aecb4720507e2a75e732b4a35d496

SHA256
51000688d3af9bee11ea929cef0ad1eb6ab8cddb5b8a17346933ee30f56b3f61

SHA512
4ef11f4533df630832865530dc18c7b5765f890d921477d4ee751551abe1bdd618f42fdc64571a630abe9c1949ae3390666fcd96b115307dcecbc83442725227

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
276KB

MD5
53aaffa2da8f9be5e4132084c9360da0

SHA1
ee5c7ba4388495ec93e3985e7b0625c6a11b76e2

SHA256
57efc1d3f53c3622bacf22a5d5c4ad8896002c114af2c2d134ad0de7730a3505

SHA512
2714878eacd1bc29ffe82bef49119032ed88d771441cf45cc482dc4aa75e94115f6683a2e0a50c81de2c47d07af9569a1fc9f1a3257a25895fe68c99675f1a48

Download Submit
memory/116-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/180-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads