berbew | 5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe
Size

67KB
MD5

00f228430624d93520cd0b6784d2553a
SHA1

56779606fe21d21adf644bead54f3083d18156c6
SHA256

5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58
SHA512

6ecc810bedb4304349c4f0c2506dd7ba080fca5b5f52c4ec8ad67f27dc8779223a799278d82376b0d2c7ec17f0b74cb14f6381f2222bcf6ceb7eb93b2bf6bb17
SSDEEP

1536:C9VJhkoyfeZuUF2bSbkSwi+lvKuIGm1cgCe8uC:IVPkoyfmuq2OQBi+UuIGmugCe8uC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1408	Oqfdnhfk.exe
2900	Ocdqjceo.exe
1672	Ofcmfodb.exe
3548	Oqhacgdh.exe
3288	Ocgmpccl.exe
4924	Pmoahijl.exe
4652	Pcijeb32.exe
228	Pjcbbmif.exe
3640	Pmannhhj.exe
3396	Pclgkb32.exe
400	Pnakhkol.exe
2272	Pcncpbmd.exe
1400	Pjhlml32.exe
3224	Pmfhig32.exe
1344	Pcppfaka.exe
1568	Pjjhbl32.exe
2432	Pqdqof32.exe
3724	Pcbmka32.exe
2080	Pfaigm32.exe
2660	Qnhahj32.exe
4088	Qqfmde32.exe
860	Qfcfml32.exe
3240	Qnjnnj32.exe
3660	Qcgffqei.exe
2608	Ajanck32.exe
4496	Ampkof32.exe
1152	Acjclpcf.exe
3852	Afhohlbj.exe
3560	Ambgef32.exe
1112	Afoeiklb.exe
1660	Anfmjhmd.exe
2980	Aadifclh.exe
4892	Bnhjohkb.exe
4804	Bmkjkd32.exe
864	Bfdodjhm.exe
4912	Bnkgeg32.exe
1320	Baicac32.exe
4684	Bchomn32.exe
4888	Balpgb32.exe
2248	Bmbplc32.exe
3704	Bjfaeh32.exe
2616	Bnbmefbg.exe
620	Bapiabak.exe
3236	Cndikf32.exe
2632	Chmndlge.exe
4868	Cnffqf32.exe
4192	Caebma32.exe
1492	Cmlcbbcj.exe
3488	Cdfkolkf.exe
1212	Cjpckf32.exe
4740	Cmnpgb32.exe
4904	Ceehho32.exe
1540	Chcddk32.exe
404	Cnnlaehj.exe
3284	Cegdnopg.exe
1128	Dfiafg32.exe
3448	Djdmffnn.exe
4584	Danecp32.exe
4472	Dfknkg32.exe
968	Dobfld32.exe
1828	Daqbip32.exe
4752	Ddonekbl.exe
2316	Dkifae32.exe
3044	Daconoae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	1624	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1408	4552	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe	83
PID 4552 wrote to memory of 1408	4552	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe	83
PID 4552 wrote to memory of 1408	4552	5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe	83
PID 1408 wrote to memory of 2900	1408	Oqfdnhfk.exe	84
PID 1408 wrote to memory of 2900	1408	Oqfdnhfk.exe	84
PID 1408 wrote to memory of 2900	1408	Oqfdnhfk.exe	84
PID 2900 wrote to memory of 1672	2900	Ocdqjceo.exe	85
PID 2900 wrote to memory of 1672	2900	Ocdqjceo.exe	85
PID 2900 wrote to memory of 1672	2900	Ocdqjceo.exe	85
PID 1672 wrote to memory of 3548	1672	Ofcmfodb.exe	86
PID 1672 wrote to memory of 3548	1672	Ofcmfodb.exe	86
PID 1672 wrote to memory of 3548	1672	Ofcmfodb.exe	86
PID 3548 wrote to memory of 3288	3548	Oqhacgdh.exe	87
PID 3548 wrote to memory of 3288	3548	Oqhacgdh.exe	87
PID 3548 wrote to memory of 3288	3548	Oqhacgdh.exe	87
PID 3288 wrote to memory of 4924	3288	Ocgmpccl.exe	88
PID 3288 wrote to memory of 4924	3288	Ocgmpccl.exe	88
PID 3288 wrote to memory of 4924	3288	Ocgmpccl.exe	88
PID 4924 wrote to memory of 4652	4924	Pmoahijl.exe	89
PID 4924 wrote to memory of 4652	4924	Pmoahijl.exe	89
PID 4924 wrote to memory of 4652	4924	Pmoahijl.exe	89
PID 4652 wrote to memory of 228	4652	Pcijeb32.exe	90
PID 4652 wrote to memory of 228	4652	Pcijeb32.exe	90
PID 4652 wrote to memory of 228	4652	Pcijeb32.exe	90
PID 228 wrote to memory of 3640	228	Pjcbbmif.exe	91
PID 228 wrote to memory of 3640	228	Pjcbbmif.exe	91
PID 228 wrote to memory of 3640	228	Pjcbbmif.exe	91
PID 3640 wrote to memory of 3396	3640	Pmannhhj.exe	92
PID 3640 wrote to memory of 3396	3640	Pmannhhj.exe	92
PID 3640 wrote to memory of 3396	3640	Pmannhhj.exe	92
PID 3396 wrote to memory of 400	3396	Pclgkb32.exe	93
PID 3396 wrote to memory of 400	3396	Pclgkb32.exe	93
PID 3396 wrote to memory of 400	3396	Pclgkb32.exe	93
PID 400 wrote to memory of 2272	400	Pnakhkol.exe	94
PID 400 wrote to memory of 2272	400	Pnakhkol.exe	94
PID 400 wrote to memory of 2272	400	Pnakhkol.exe	94
PID 2272 wrote to memory of 1400	2272	Pcncpbmd.exe	95
PID 2272 wrote to memory of 1400	2272	Pcncpbmd.exe	95
PID 2272 wrote to memory of 1400	2272	Pcncpbmd.exe	95
PID 1400 wrote to memory of 3224	1400	Pjhlml32.exe	96
PID 1400 wrote to memory of 3224	1400	Pjhlml32.exe	96
PID 1400 wrote to memory of 3224	1400	Pjhlml32.exe	96
PID 3224 wrote to memory of 1344	3224	Pmfhig32.exe	97
PID 3224 wrote to memory of 1344	3224	Pmfhig32.exe	97
PID 3224 wrote to memory of 1344	3224	Pmfhig32.exe	97
PID 1344 wrote to memory of 1568	1344	Pcppfaka.exe	98
PID 1344 wrote to memory of 1568	1344	Pcppfaka.exe	98
PID 1344 wrote to memory of 1568	1344	Pcppfaka.exe	98
PID 1568 wrote to memory of 2432	1568	Pjjhbl32.exe	99
PID 1568 wrote to memory of 2432	1568	Pjjhbl32.exe	99
PID 1568 wrote to memory of 2432	1568	Pjjhbl32.exe	99
PID 2432 wrote to memory of 3724	2432	Pqdqof32.exe	100
PID 2432 wrote to memory of 3724	2432	Pqdqof32.exe	100
PID 2432 wrote to memory of 3724	2432	Pqdqof32.exe	100
PID 3724 wrote to memory of 2080	3724	Pcbmka32.exe	101
PID 3724 wrote to memory of 2080	3724	Pcbmka32.exe	101
PID 3724 wrote to memory of 2080	3724	Pcbmka32.exe	101
PID 2080 wrote to memory of 2660	2080	Pfaigm32.exe	102
PID 2080 wrote to memory of 2660	2080	Pfaigm32.exe	102
PID 2080 wrote to memory of 2660	2080	Pfaigm32.exe	102
PID 2660 wrote to memory of 4088	2660	Qnhahj32.exe	103
PID 2660 wrote to memory of 4088	2660	Qnhahj32.exe	103
PID 2660 wrote to memory of 4088	2660	Qnhahj32.exe	103
PID 4088 wrote to memory of 860	4088	Qqfmde32.exe	104

C:\Users\Admin\AppData\Local\Temp\5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe
"C:\Users\Admin\AppData\Local\Temp\5b69d228c88c13d4b4f7cfda9332d743aba7441b8267ff0ba5b8e20d765b8a58.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\Ocdqjceo.exe
    C:\Windows\system32\Ocdqjceo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Ofcmfodb.exe
      C:\Windows\system32\Ofcmfodb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 404
        69⤵
        Program crash
        
        PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1624 -ip 1624
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
67KB

MD5
2df440d38bc5af9e6bb0949948e39978

SHA1
6381dc334b9c51f67e0be4bd4362d2717827125e

SHA256
3ad53a0b71e3ed141cb35f404a248cff109c50d2c4e9d9361568254fe25598e9

SHA512
deb4f48b9db879fa220d0a5874d17a7e5ab0987ad9bd9a6c68cbac08cc161c2f53ad7f807dea393436261ebfab4ed496f8b4da4a15c8303ca5cd6bcb67534885

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
67KB

MD5
41551a2fa0d953144a3d0a669f31433c

SHA1
ce25af8ed91fd1eb4afa043a108c06a426d32aa7

SHA256
0694c20854af379f3dd5cfd7dd20f893dc84e1a52ebf908099d16049cce1249b

SHA512
3dbbe9551e8b9269b40bff4ba74b534dc9c6bc120d0d92d8c4be0296dd1013842a68a1d3b578223f48169c18c9bc3d362a4c680b7d55a16ea0950101a14c0c5c

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
67KB

MD5
889d52d7792490f5e6ec8c1e8f6a2de7

SHA1
3160b09fecc83f0ba1b1925f389b530becf8c3cf

SHA256
51ffb417e17ac6d4fd95f62a5b314579b96221fcf2585077d9aed256aa627a7d

SHA512
4bed47547b4b397014a668658d1712dc66923a74b9c9b4a2606577ae5c212f49b6658b437cafc9a771f68213968becde1262ee4c0d19b3036b97a9b06d2c86c4

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
67KB

MD5
582b91b031dcdd25319139ca405a43cd

SHA1
1c51162f04b898c0d3d8452a00fc4e655808e11d

SHA256
1badca9e0e80f883feb3774d09fb29f3ce644cd1a29a3cfa006af60d7c131854

SHA512
44aa31c2592f506cdda5a7acd2d62c05860f3fae5e4c73f7fc921f1313b94a5bc41c80af8ada56ca5dbfcef2721f3b0042dfb007704e043409d42a2f6ad57815

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
67KB

MD5
357f0328f52ecee927b183d2cf4afa85

SHA1
1c67b83d43eaac7e30dee5a7db3af2bcde6700ff

SHA256
ab51999cacbd4a1433172af6c5583ec9b89ba773ee43145bd714d3d119bfc7c1

SHA512
9d74d31ead8bf4888173402f248f51fe8f4019eb119adc9668d0bf063c7c1db62c78cdf8f2cf044027e7f85d134e2a44a1c06cef267e661455fa1bfae1b92dc8

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
67KB

MD5
4022a854e35d2b4267f64775e4ef3881

SHA1
1c8ba7ede92e39a58e4455c01ace8f3b94d7cfe8

SHA256
211ad224d3a1b5758988dea44b6762e28b33080f105308716ea39ad8ebee78cf

SHA512
458a9afca536a5d38d83bb8b6a8393b2c6b7242d3ab6c779b75e7d4096b8b50c061b9a96c826e23b348332787a7943821aeefa74f2d5dbd6f376b98bc35a9952

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
67KB

MD5
a4d227f80c5c33c676556e6cfef9adfb

SHA1
91ddcc64082fe77ab06f1a0fd8bcd37f75526c98

SHA256
b4b9eca4b5b3a7e402632b58ffcd3e144b2bf947f99a61d50411f548fc0d0feb

SHA512
dc295e67ba93e789faccd055368922aa642223c1542a72180eb92f73a304c76f03f2b560559e40972bd892efc98d98c7ab7df662828a5da571cb5b39912a6da5

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
67KB

MD5
ebfd0104c0243794c83c7103160e62d9

SHA1
c9e42f5cad691dc618b014a6c324bcc46fbe8968

SHA256
48bb7bc85bdcd51214a48b0dcb118f8b9bdef46569160c5c53e1fe4c58509493

SHA512
28c6db72401cb3e91c7849841305dab20bc024598dbd3a7a43f5307aa4d8743191565f8e8001028bca3ac1c10dc3415a63881751d7f1d51f1dca7310bbb20754

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
67KB

MD5
3ef18134de07129946040848594aaf0e

SHA1
a69dc2b28cdbeef00f55b19f2340a9d0c221072d

SHA256
6048c9da98ff89714cbb3c72db6f780f8a02676e85b705e743e5301efe615023

SHA512
1227dc51c9810b99f00313381e80a4c85bf37e50c764e81d5d54db54b2563c54b47ec014cfb37a5e0b15de7c7c910f9e4138544fe08ff7fd3a3be019adcde4e9

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
67KB

MD5
7864da456a2ee980f62071f27f46be12

SHA1
75c34b6bc0038032d59512dece0b37665479243b

SHA256
c024c46d59716cd5414a6928c5f6df6be4b5f25d5ea715d768e878fd0ec0cead

SHA512
24096776c6c00f0de6b23b380371fd1951f64d2274187c02ab5cf58e066b37ccfb70ed237c5f2d36bcedda275f011404e89d64d4a0e82ddbaa5931201a7943b9

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
67KB

MD5
812631823303435a0f38de70903e5b3e

SHA1
9af69d575bc62a1cfd41642b95c4231c2679ffbb

SHA256
6cb61989662b927eb771d46181d15bb264f555b8bd854272759dcd2c214099b8

SHA512
7633e40bcfc4f7bf53234df5a0457d972617c97e2ed186d3b0e16ef5c9d634465bf2ffcea2eda50b2f572a7b10eb3490c49f47313fb98171d1a161df840f7909

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
67KB

MD5
bde796dca21b6c1263af362209f4d488

SHA1
2d7376c3c7a69ea812dc4e1cd06b21e551757f1f

SHA256
333211f275c4b99291c963e498adbb4ad71514a62b316bab5271fd6c01fb8481

SHA512
8a420523c4dd5ac3b25533457d3f9a770bad2e61f3077832da8fb368fb307c1be1cc16236fa5f7ec2b65200e9b58f213ace16f37f43a99602902dc1fa3560f11

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
67KB

MD5
0de01da4912271da11401355e06884fe

SHA1
66640de8e622da2a4befa870ab392894e8e79ed8

SHA256
57c9bb837581865d3c708e6a040fbeaec1551e6cb9e540ac6fc8bf1a4a8bf4a8

SHA512
617fa619c9929b3cc6dfc0022b6d6f7ad08f6b6a7b82a184b964b863766d3ff251da5e627883776ec10705fcaaaf67ae3d8ac363841bf54a85dc362806c4d76b

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
67KB

MD5
fe80a99c61b82f53dfce8a5c1308f272

SHA1
e7294e1c01e63150f8b06d71804cfce811831178

SHA256
1751a2f2d245bc2f1650ea911ca9650f7480a8bd6d78c1ebd0aa9f0fa3424479

SHA512
0c066e7611390c97356dd2a4899f236971019a9017a801fa2da00d250c9fa5aba1bc51fc0558539d86c478ad5b1a7ebc185156e57f72cad105f6b21b72d38963

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
67KB

MD5
c7b4b6b8b25deffc280b1c8fd609f63c

SHA1
b1aa1360afc88ea677f989209e05d401f3d22425

SHA256
e17ad843cc164a0bfa3f04a7f843761703b8ff2e7fdbb9cddfc871a961f215a9

SHA512
b269b72c4ea83d617d48cc69e2a5bb177c2e2f271937bbaf26406d4b1df552fd554c510decbabff1746ab60dcb98a1a147d4f592404533c02932fde664e73152

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
67KB

MD5
d29f6137e2c2ad76ce1520fdf3217fa0

SHA1
6207e60fbddf9605603002e8ff8276a8dd9ec3cc

SHA256
c4b3086becfc9d5aa89594b95e985128ba7ae5027a45c3e5dc6f27e60473ca91

SHA512
d290b5c60d07ccf382612d263a2f68906580b8bebe28fe1751d586e04317a571c9820adf6396b73c717bd637407c86e581b5561880a098e2b5f7b150b116b6e2

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
67KB

MD5
cd138d40261afb05fac3758f15cae853

SHA1
e3bdd81203fedeaa4b40f5b7687db7a29c7f2b62

SHA256
aa8f861b0e627592c33a5c4b19d0d9a2cf8bb38bd547e18b007c8a92f556a133

SHA512
49efeb23cd95f637b2ea00acc69fecdac34c4570c3aa8bf6c656d5e66e42b667298f16d060789ba744e7c50ee4ae5786f6c9ca37c8c753cd4300afa26446f694

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
67KB

MD5
d00422e9d3f7a88eb387b8e76ecc50b0

SHA1
65ea276d9e3c43b1e48264475cd5382dc39a8a02

SHA256
b8e8db1f8407287ebba3c18da86ff5b66e0d5f2fe6e2a9a09b82489dd81e8fbd

SHA512
59d9f2e0b3734d12a1f0c826776ba50f82fe0a44c6e076dd5f42ae969cb3fca0dc9e8b83a362c6f3d1f6d388eac4a306880f91ffc5c77387776ac236f299751b

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
67KB

MD5
720a9dbd85256d1622c80594905b11c3

SHA1
8f92312869f3974246098f2a3e89db932f8449df

SHA256
286a8cb61872a8ab50588581d7fce4119353d587a27ab86a10cfbc856905c9db

SHA512
1ffbf8c50bd72e171ebd1e427aeb9790b7697eeb11d6b062b10b7003008956ee5520e891855097e8627bd347343d38c9765cf053b0ba0f52bbf625dbda196136

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
67KB

MD5
34604eb15667b89237c058ee442c3889

SHA1
bc50038508100f64aa0a2faafdec059661fdda69

SHA256
379b8f4dc9dc73fc7e00c17e560bbf7587446e7bac8211540e9d85ae117fa055

SHA512
d14c61f875e2137674f229706d776ca9665f59d4162289dfb5311d7c21d173ef7732f41b01c44030a19ee7df049431ab1227352a20f8ff4cac6b6a5057f22099

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
67KB

MD5
cea8e37b78e4b8d7473341ee4044e088

SHA1
a5b68f78d2848af83bc936aa281c13fc2ee8f8c0

SHA256
af8cf5dd224cb1c35bc30230448a1bdbb6f6b97141ea3d6b9a07ec9a168a0436

SHA512
20e4927190b8a3b8b09c6d91eea972850b18070549acc43bf2959ddcceda5c399e1309ee44db90c270bd4bf851dfba4eb8f4b4905f23931321667c550d715758

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
67KB

MD5
d9b4dc80bfd48954466c153b5a57cb7c

SHA1
2cfe5e93f78c8fb8d992c9838cbcec07f75c708c

SHA256
fa163661e9563d5859c3ee54d0dade03eaa4e58c81c9b8637b944f41a85495b1

SHA512
d095927a55efbff13ee2032f9b474e03eefd8b9499719d7c1f3dda29e8707c4c12edf75ab95470635861d9a35f11d3aefb2e2e40c4c63f949bc15718c1fbd9ae

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
67KB

MD5
6d4089d5b04085f5600db810236285ff

SHA1
e616208eace5393bf44089ba26942dbdaf0311e8

SHA256
63d2d9c16d0ec2fc274caf7442489efa2cefee07f8424ed5272c37196f7420ea

SHA512
56f516fdaada9bb4ae5b1b89556d74eb6932214cf9ad6258784b729e3b3e731a3e7daea7d21f1584251b10bae0e3cd68a796b163e2ec2dbf46aca66c34fda1c8

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
67KB

MD5
cff47852e1c81903fd8a60e0fa74efd5

SHA1
e21782843034be77575128de8170266ab554bfda

SHA256
cfe240297d2b75830013ef402acd904801a80a6319c9b4e86a4dd34cb9a52aad

SHA512
1f0e6ad39433a25b18e69edd357f5ccb9b36bfd7f63ca792c745b1182e3df41eb024d996280c13f09bd02e184e1c3b15a114748e74ad88492ebdbd6b9cefca43

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
67KB

MD5
d801438d4ea41a77f3dfc17d3d74fbd7

SHA1
12d52f1fe759e415b733961a3bdc887879126bb8

SHA256
99221ec8be34b3ed1d6cf5ebac3132fed5c1490fee60972d44768214a4920be6

SHA512
53a2a3318318671380649f433d63a4cb5d833e7a7cccbd1d7fe2a367406d9584693b11de0c051fd43c23fe64852d5bbe119d0ba88133a05452b0815f94a86192

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
67KB

MD5
bee5235b8ea5306718cdd33ce49db36e

SHA1
16a60c4aa8699bb3944df41057cff438dda8ef4a

SHA256
7439fb8688b16463b85af5aecc4f86e7c49efefc1072a2d76708dbeb1aff31d6

SHA512
9e7ef3d6ab6130f2d8f46e9d16b89369932980d08125b256cf24d23b26ed002e4155a9f7092f2f30c46a43074315f60e698e891957df1f05b6b7bd830ad0ea90

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
67KB

MD5
94df25bfc62e2cf3bc72b0debf06ed8c

SHA1
84c3a9e17e5a10e9d8d6b298ee53232991840046

SHA256
849b9520e4e8fddfded61784ec78d357b51082e214117797dff87558bff1d057

SHA512
d24e912d76e2ca875d6682e66881e0fde8f1dcc52467157c6484764ba73a503e2e403a8460c9f8f45d7799313c558d03c1d29d04682f544568b7b335295e8b52

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
67KB

MD5
40a465e92045b924aca7b29cfabebf3f

SHA1
3c3dc84ff5de444de2d60412f4918f41236f0b63

SHA256
74f03ecd3a6b04d5ebc4c859141fba00f6443670e82f7389318da030b5a009f2

SHA512
c2b66109f376a09e373cc61eb077b8bd18a779260e428928ca0bc2c22c7b5c9112ac20dbe3c3f9666c307393192414533dd8d02d7c7fb51bacb123911408457c

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
67KB

MD5
c808723f1cfb17a952f748dc41224bf0

SHA1
04a77c3596dc86654888b01ca7da7098150d16b1

SHA256
6a6ef712dbbd071c691d8494f0336131eb280df87a48a2e65dc90a92e666700d

SHA512
1da703eb88b6717905f243890a6dbd67e6fdc118e0c43a651e8f80fcef8539152d11c0f1d2ac9010ac81f5023c23a946599c3bf5fd53596b5e89c468904a1bcb

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
67KB

MD5
f3ce2abfc34b2ef70efc288f72c4a7be

SHA1
9d2fd14cabec6b5457d4272295b9736f8db24698

SHA256
e67e7eb55e578771fed419f402c78f67b3089fcd99aba808aee0edc96626605d

SHA512
2b9a382f42f9318e5a312fa10cd0c136a38fea37d6da25fce1bf76d2533654d89d98b54c8a177d57663553784f6e64b66286af75399e3afd37b16714dfd8ce2e

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
67KB

MD5
0129849dd98dc508ce22502fcac3c432

SHA1
20abc9331dabc82f2b3be43c032a354fe940dcd7

SHA256
77fd7873d61fd62e1deeada03b67212e4884b915b18e6def276ab0f7fcdeaa6b

SHA512
5aa9a5cfde08ec46e61214053a73c8efefc59a6fc37c1dc9649e953c6396ad396deace01c48361d06ac25036bb02b15dd48a0fbe69f7a4ef198e75c377b784ad

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
67KB

MD5
1082b959ff17bf66682a04dd4e467a8f

SHA1
4d1383a2b19b863376bae9c9e93eac0206b2e9fb

SHA256
1f2865657665c8cdb075c71ab2b30f320932a0c197a4f4bf02c203a14796bbad

SHA512
eb47c826fd0c97362a40bba90cfd136e7388b103f740d15d8456257754ea5f2085d947fdfcb893b2e15f31524c7396a4beae026c2df6b99b76888e0b92a97ffa

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
67KB

MD5
41f0f15a2de19cbf131e45e10bd63bd9

SHA1
7be7d0331abb3e733d8a8c8b0c8880385ea373fc

SHA256
49b745fbabe39db6bd971bafbf3f7a7b856098b070373fdae43837b6cb109c17

SHA512
daa721321c0c4ce472f758efa7880271bc06fff5f7d96195c5a611df8ef8618da38b1bd01da9a574539262d2b768c2960d1a6db35e769fcc4292ed56cca75967

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
67KB

MD5
531c6d1f0cfc97bb21c9c6c1eea1225a

SHA1
ca8f463418f3e67b083aefd564bab315b128836e

SHA256
14c917aaa9cc34c18e25887339f2e19e6ce5bfbaac690b796231a4c4088348da

SHA512
f5ebdf0e21981c0b541dd5a2da3e9a9cc42ccbd829e3cbdde60bd5e38044852689858b249793c97b5c9c05d9d9a93d176fa4d0bb1c2b4d81c680b43d2b8c7e67

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
67KB

MD5
621f290104f12a77c5d74db236fca2f2

SHA1
c7da6b93342d0f3c5ff78f5df680b76d828a548a

SHA256
eaefdbab210c8d6e92e046aaa1f07137822399097a9b07615e725d8da5e5f505

SHA512
6c83ca47437315001f977d82b2a72517f3c6f9430622390fac8e1d576a638f43269845a891528aca5a2dfa43f5465402f61c60f130ce7d7d10bf80428eabf150

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
67KB

MD5
7ed8563519bd4b8297e387b204849f9e

SHA1
c505546e302570922b5da49ccab7506c886b1bb9

SHA256
f1e39e3ad2ee1313f9e2fe0d388096b2fc07c4045ae1de03d14a67bdecbc387a

SHA512
fc59564bea64e55a973a59f8e9139b31593d007d98736348ad837c8ea36164616da060b0c376e707d8808836a49a680633c7d1d8386b7fb7e963c7c36f17cc52

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
67KB

MD5
451a790a54e81b566aed229991d2da1b

SHA1
3f2dc7a419b05babec808cd268476bb92df28be7

SHA256
6fafb836f3da9ab48397c244675ca71006e827b60e4200119767a834f198b5ff

SHA512
b53cb65c583754a4bc1c0fdaf9da2358ee08b82e409f637180fa0eeed66444b9f86f7dcd73e9bd59219ae40aa2f58d8857bf626cadff7fda8b40c2d244537a72

Download Submit
memory/228-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/400-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-481-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/620-492-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/620-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/860-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/968-475-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/968-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1128-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1128-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1152-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-485-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-470-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1320-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1400-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-487-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-482-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-468-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1828-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1828-474-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2272-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-493-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-490-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2900-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-471-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3240-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-480-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3288-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3396-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-478-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3452-461-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3452-469-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-486-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3548-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3640-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3660-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3704-494-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3704-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3852-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4088-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-488-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4472-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4472-476-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4584-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-477-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4652-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-489-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-483-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads