berbew | d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326e

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe
Size

64KB
MD5

4c2f9916333e6c07f3dc092afb8132a0
SHA1

47943fe9b6e5d0de4ad428c7e45e9ff2506e2dfe
SHA256

d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326e
SHA512

81bc67c7bbc57a8ecf9471d7928349d9e22934d003abebb5814523deb65c714108c704c6f45960ee9ffad1bf952e67b641e28634fdad8f881ac02922bf520bb8
SSDEEP

768:hX5RT1uYkDlSGiVSwndPYjEgFtydyP7xTVgd/1H5CPfICyxlLBsLnw0ZFdGUYyy5:/RTYkDxYJNDORlLBsLnVLdGUHyNwW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1896	Pnonbk32.exe
3124	Pmannhhj.exe
3804	Pdifoehl.exe
2372	Pfjcgn32.exe
1640	Pmdkch32.exe
3236	Pcncpbmd.exe
3816	Pflplnlg.exe
3940	Pncgmkmj.exe
2748	Pqbdjfln.exe
2652	Pcppfaka.exe
4576	Pfolbmje.exe
3572	Pmidog32.exe
720	Pdpmpdbd.exe
1376	Pjmehkqk.exe
4872	Qqfmde32.exe
1740	Qdbiedpa.exe
1944	Qfcfml32.exe
3204	Qcgffqei.exe
2792	Ajanck32.exe
4364	Adgbpc32.exe
3976	Ajckij32.exe
1468	Ambgef32.exe
4348	Aclpap32.exe
384	Afjlnk32.exe
2932	Amddjegd.exe
4852	Aqppkd32.exe
1904	Agjhgngj.exe
1084	Ajhddjfn.exe
208	Aabmqd32.exe
876	Acqimo32.exe
920	Anfmjhmd.exe
2360	Aadifclh.exe
3920	Accfbokl.exe
4736	Bmkjkd32.exe
2000	Bcebhoii.exe
1272	Bjokdipf.exe
3336	Bchomn32.exe
5044	Balpgb32.exe
3348	Bgehcmmm.exe
832	Bnpppgdj.exe
4464	Bmbplc32.exe
3360	Bhhdil32.exe
3060	Bnbmefbg.exe
4700	Belebq32.exe
3012	Cfmajipb.exe
776	Cndikf32.exe
3032	Cenahpha.exe
3844	Cfpnph32.exe
1996	Cnffqf32.exe
5008	Cfbkeh32.exe
3128	Cnicfe32.exe
4412	Cmlcbbcj.exe
1992	Cdfkolkf.exe
4952	Cfdhkhjj.exe
3024	Cajlhqjp.exe
2768	Cdhhdlid.exe
2824	Cjbpaf32.exe
2724	Cmqmma32.exe
1568	Ddjejl32.exe
3624	Dhfajjoj.exe
2664	Djdmffnn.exe
4744	Danecp32.exe
1676	Dejacond.exe
4992	Dfknkg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	1360	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1896	3364	d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe	83
PID 3364 wrote to memory of 1896	3364	d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe	83
PID 3364 wrote to memory of 1896	3364	d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe	83
PID 1896 wrote to memory of 3124	1896	Pnonbk32.exe	84
PID 1896 wrote to memory of 3124	1896	Pnonbk32.exe	84
PID 1896 wrote to memory of 3124	1896	Pnonbk32.exe	84
PID 3124 wrote to memory of 3804	3124	Pmannhhj.exe	85
PID 3124 wrote to memory of 3804	3124	Pmannhhj.exe	85
PID 3124 wrote to memory of 3804	3124	Pmannhhj.exe	85
PID 3804 wrote to memory of 2372	3804	Pdifoehl.exe	86
PID 3804 wrote to memory of 2372	3804	Pdifoehl.exe	86
PID 3804 wrote to memory of 2372	3804	Pdifoehl.exe	86
PID 2372 wrote to memory of 1640	2372	Pfjcgn32.exe	87
PID 2372 wrote to memory of 1640	2372	Pfjcgn32.exe	87
PID 2372 wrote to memory of 1640	2372	Pfjcgn32.exe	87
PID 1640 wrote to memory of 3236	1640	Pmdkch32.exe	88
PID 1640 wrote to memory of 3236	1640	Pmdkch32.exe	88
PID 1640 wrote to memory of 3236	1640	Pmdkch32.exe	88
PID 3236 wrote to memory of 3816	3236	Pcncpbmd.exe	89
PID 3236 wrote to memory of 3816	3236	Pcncpbmd.exe	89
PID 3236 wrote to memory of 3816	3236	Pcncpbmd.exe	89
PID 3816 wrote to memory of 3940	3816	Pflplnlg.exe	90
PID 3816 wrote to memory of 3940	3816	Pflplnlg.exe	90
PID 3816 wrote to memory of 3940	3816	Pflplnlg.exe	90
PID 3940 wrote to memory of 2748	3940	Pncgmkmj.exe	91
PID 3940 wrote to memory of 2748	3940	Pncgmkmj.exe	91
PID 3940 wrote to memory of 2748	3940	Pncgmkmj.exe	91
PID 2748 wrote to memory of 2652	2748	Pqbdjfln.exe	92
PID 2748 wrote to memory of 2652	2748	Pqbdjfln.exe	92
PID 2748 wrote to memory of 2652	2748	Pqbdjfln.exe	92
PID 2652 wrote to memory of 4576	2652	Pcppfaka.exe	93
PID 2652 wrote to memory of 4576	2652	Pcppfaka.exe	93
PID 2652 wrote to memory of 4576	2652	Pcppfaka.exe	93
PID 4576 wrote to memory of 3572	4576	Pfolbmje.exe	94
PID 4576 wrote to memory of 3572	4576	Pfolbmje.exe	94
PID 4576 wrote to memory of 3572	4576	Pfolbmje.exe	94
PID 3572 wrote to memory of 720	3572	Pmidog32.exe	95
PID 3572 wrote to memory of 720	3572	Pmidog32.exe	95
PID 3572 wrote to memory of 720	3572	Pmidog32.exe	95
PID 720 wrote to memory of 1376	720	Pdpmpdbd.exe	96
PID 720 wrote to memory of 1376	720	Pdpmpdbd.exe	96
PID 720 wrote to memory of 1376	720	Pdpmpdbd.exe	96
PID 1376 wrote to memory of 4872	1376	Pjmehkqk.exe	97
PID 1376 wrote to memory of 4872	1376	Pjmehkqk.exe	97
PID 1376 wrote to memory of 4872	1376	Pjmehkqk.exe	97
PID 4872 wrote to memory of 1740	4872	Qqfmde32.exe	98
PID 4872 wrote to memory of 1740	4872	Qqfmde32.exe	98
PID 4872 wrote to memory of 1740	4872	Qqfmde32.exe	98
PID 1740 wrote to memory of 1944	1740	Qdbiedpa.exe	99
PID 1740 wrote to memory of 1944	1740	Qdbiedpa.exe	99
PID 1740 wrote to memory of 1944	1740	Qdbiedpa.exe	99
PID 1944 wrote to memory of 3204	1944	Qfcfml32.exe	100
PID 1944 wrote to memory of 3204	1944	Qfcfml32.exe	100
PID 1944 wrote to memory of 3204	1944	Qfcfml32.exe	100
PID 3204 wrote to memory of 2792	3204	Qcgffqei.exe	101
PID 3204 wrote to memory of 2792	3204	Qcgffqei.exe	101
PID 3204 wrote to memory of 2792	3204	Qcgffqei.exe	101
PID 2792 wrote to memory of 4364	2792	Ajanck32.exe	102
PID 2792 wrote to memory of 4364	2792	Ajanck32.exe	102
PID 2792 wrote to memory of 4364	2792	Ajanck32.exe	102
PID 4364 wrote to memory of 3976	4364	Adgbpc32.exe	103
PID 4364 wrote to memory of 3976	4364	Adgbpc32.exe	103
PID 4364 wrote to memory of 3976	4364	Adgbpc32.exe	103
PID 3976 wrote to memory of 1468	3976	Ajckij32.exe	104

C:\Users\Admin\AppData\Local\Temp\d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe
"C:\Users\Admin\AppData\Local\Temp\d6ad4a9118b42b020c0eb84e46a9bf4540e92b3abe2b839dc5e1179d511f326eN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\Pnonbk32.exe
  C:\Windows\system32\Pnonbk32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\Pmannhhj.exe
    C:\Windows\system32\Pmannhhj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\Pdifoehl.exe
      C:\Windows\system32\Pdifoehl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 212
        77⤵
        Program crash
        
        PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1360 -ip 1360
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
64KB

MD5
06444abc6bdecb752234fca578931ea2

SHA1
be6f3259845950495a71b3d1da5f65e3536403a0

SHA256
452f5c187d1069735efd9d954a089661aab137c6f65e531ab6bd438f3c77b8c5

SHA512
928d2744911a936894df2b27bc2c882b9c444778b04fbd07db18ee8e6254691c2723d8f59edd173ff1c9bc70890b9bf73765228afe6bdfab2509a893953178bb

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
64KB

MD5
8752557a70b1da3494edd03a4102585d

SHA1
7bc25de92737c309f1b66129ca0f6e7803649333

SHA256
d6571fdf2ad46aca073fc3127f074bf2527614f80395e238e5f693d24172d12c

SHA512
d8746e4c72d4acde4a4afcede5dd8fc73c5ad29e019b8a23813bef37b06d6d18e0a39c2493422480cecd65233a414648eb00d2779d9dd0913a9eabb1db87975c

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
64KB

MD5
a144db5f2e9ca0c178ada5250165ffa3

SHA1
e95ef3b783f369cd7bb1b420b4e95934b78e8951

SHA256
21265f43a6096a0935921e82b9228da47c523830087f19a7b7c0d9a9e44ab252

SHA512
919b71d0511eddfb4844c55d3f089bca5dc792734fcd9bf555b48b517a26a70c136ce2278ae39bdd7a666ce1cfb64b747e9d555abcb2879cffd25b02424d8f77

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
ab5b6cc35f2bd47cfdb2551b5c8c9d0f

SHA1
d8837f4f702c421d86c733b548cad0c01a3b0ef5

SHA256
cbeac0d2530ae28a04e5cf2394b9bec58abbf6d496bd5371fce87764ed09f0de

SHA512
17bc643da8ef986b20f2a531571f5fca6658baf82b70d834d9d42dd4aabb9932360d47a1649fdd4a28173df2e8671a2e48fbfd669fe647d98ee4110469f0c721

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
64KB

MD5
224cd44e29392214a3af5ac552cb6e61

SHA1
655e2fa51a5411163733644ceaa7fab769f8a9b4

SHA256
fd2df461d548d1691391192a34ff279a45c6de8a2a9dffabe3581d5cb6305483

SHA512
da882806c5db954d66206f2b001a027a5bdd4215f7f6e2d75da68c57cb1b6cea25ef5f3947fc258618b284cbfeee0bb23f23d7a2b83344a536c6a9b4bb8c5cc5

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
64KB

MD5
02e6866afbd1732e89137c78691b786b

SHA1
04b7851ac77b66c1a5b47b96695417fd1f6a239b

SHA256
868e907466c11438511583bfa18feb206c1a4607aed7232cd681f5e0910ac657

SHA512
ca43df8f34dac9e9e57084107c2bce30f211dad1c66efbd4266c40a425dfc8d52f134213007cb97074b9ceb550783d1d717b4efaa5c3548f505b82211dc73cc0

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
64KB

MD5
5bba5d8ce611b231a88ac6a8900701a7

SHA1
ba4212a0e12fc51c139ea902bfb9611559777c67

SHA256
180ac1000467155d76924af2617555aa02358b78a8935b42b7a9c99383c83a65

SHA512
f099d6e660d1d4d592600f73b8923beb8bedefa9b5741af5444aab7be3ac5863b3a7b8b47e025526ae934fa985efc9b844c2c20c0cb947997cdd7f37aeea6238

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
64KB

MD5
0e1bdec940f08d84d2d1df08f4f67523

SHA1
a6288bf96017f2962faa5ca5bcd063208ae8f07e

SHA256
e84e3530e2183bebcb82bef2c77d3ccb40f9c38bbf6fd091703eacdd26ca1760

SHA512
78c94e2226c6790ecbae3e153e251fe12bfc217b7c90f9428628224a91cdbfd3ae4de1d404efa6f9101181e7c253dc7bd8b2e4c4dd30789f7f1f68c97831d914

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
64KB

MD5
c0edc5c98d85289fa94471f91d37b63e

SHA1
c8abd08ebf15c68398b1f49a98d7c826121b4082

SHA256
29b779895cbb97fa724e2f3a6c5253b49c3df0b7b4a2cb72f8b6c65f7def8db5

SHA512
8515243d303f1eef171d25c4570932ec59a26b9d14ce0f463757aecae0a1d7cd3787a4e8543914c7196924e9a639d7e982a407382667aaaf1045723681c21b9c

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
64KB

MD5
9f0175a989c6ef05cb53e279434b4aea

SHA1
08632d318a17febb9a5a285dffdf5f3b96bb896f

SHA256
1dc879444148ee5ba013db062d707d5eeef1cc5509528d91ef45eed41717c7bf

SHA512
f7296d40fde364279d5c032b3be65bd069457b9445cef5a88e80537c7fbbe31cbea9fa499041077c624eb56b944f5cd8c34280dacb4f516a44d788ccc5b5ed2e

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
64KB

MD5
e1c60fd4c73bb80ec35ef2e1feac4df9

SHA1
a42f0658ef212ca7ee4333dee4f1811ff5639c9f

SHA256
df4d47523c7660c11880f479c3b18c7369fa8e9480290fb4ff3248a70c5b4264

SHA512
297677b3b278de0375ce2e00d2b8a078b8bc459522c43233b428ed3833576fda5c1a52b3ab7bf13c7479ee78703db1de92ed4265c8443131e39e673bb0787440

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
64KB

MD5
d444133ff7b249d2cd8141267ddf3ef9

SHA1
859d360a3b5dcac9d9b26e17b9cd5dcd13510af7

SHA256
c663835363138c0fdbafebf4cf3169a4550f3a95f8edf88f10372900499b8778

SHA512
b843777eef0c88ffb18ad2969dd4e244761812187772b5b243c4b582dadc9c649dcfc70a5f4d420c9621f74bb94f5b0ef65b26bc3b7c15f5a4d8e2f925d1e890

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
64KB

MD5
ed42b58a09b177dbced57f00b724eaca

SHA1
ce87192e66c2fb36fc22cdba2b51006ce4cc2027

SHA256
c40605f5afc450a24f885b269192e6bc97b0b5624697536d1ba4a55933f44e66

SHA512
2da08b98f479467ffa2b8774c27e0a6d4f61221afd47479bbd26e1b11ea2632f00442816d70c0e9fe4cc353d274da81a8a683250ae9c575b4ee61df4d8ebb95e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
64KB

MD5
775151598a29c280dbe5d2fc91f2118b

SHA1
877a5814c131e7ed76e1d26bf4b3e73ceeb99122

SHA256
f3802147b227066341d12821a93de6a3efc8ae045859690e69093b5aa99bfdbe

SHA512
c3cd7abb20696e120439926e182191715bea566630730583780ca0e949732d86c90b984d02ac2a0d2a261a9226a8271338c424bcda73ac2070b35446a2ab4580

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
5b7335eb89af39382f639193a3e9e16d

SHA1
cf06796abddf7757d118a2ce2d09d1f8cfb6b9d3

SHA256
f88b39daa93adae6e3dff549262c9b88fcd22fba4d30329129d73839f0aa5c34

SHA512
c622854954ac38b23dde5d6f568b8a647a1ed94fa939eaf22a3643ef587716af26dd2e6507fad3078b8ccb8d9f1778744d06bf58fd32c17f0302ec6acadd2ad1

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
8232cee9ab6d3a394baf5a2131abaa30

SHA1
76a5e38e21c50c1be3236d5a6e01806c0424127f

SHA256
0276e7430b01886c144f8255dc508e51d0d5acc90ee69f7634eb0ac5816ee0c8

SHA512
b0e686adcd062ecfdaa3cf22f7bacbecf68b67044c9025977b3f8d2a17c5d3f282a13c321edb064e0245f61e817b6dd71c80b4192961140b937f34fd2c706dde

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
540ab3ccd8f023f96ccd2f952d3242a2

SHA1
269fb56d79bfd4d18fe2ff635979afad868564e4

SHA256
a151ea2cd450b390330009206d33e4ecf0c9a285202a2edc7a122a16ea2e7e0b

SHA512
ff5ebcda7bc225b4d8f530b316b317380702848e7478a1e8c95a508edaa80744f707e157827f64a83b71bce5fbf257fc724d3c1b610e5d8365a89df5b7250d8c

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
2b6cbe1bd9d0b6a12ed3f63e4f7aeb57

SHA1
5a2b0f868090ce9e3ef0c801b5ec7f7169909005

SHA256
336e7846d44c620165ca109a6cb8d92e3759b61962c9b91ed0256e79b1674e6b

SHA512
fcd21c50356799c0e0eb19e7e393a282b0a9168fe045653d5f592a5479796fef66d920bb7069fb506901185aee6537a22a6e208ff4aeb1a1cc1aa005d8c2cb7b

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
1984ebca70208daa27184622a3792155

SHA1
4e9c5b206b213e4809aebbc5a13a70425fb1db50

SHA256
57bcb8bce1d1eecc248bb2fffba9486bbf88e2a2ce2adf2ed929313362f24d57

SHA512
161ca5de4c9bef9f3846f659f16733d97bb8229f0179e4feec3f884a40a8075fa95856e9f06ae4f733173d4d5a5099edb62bbaf92718226ff92af899a4f9bd90

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
6db111ad559bfee52c373bdb3098540e

SHA1
08101e7972e267f303fea66baee73eb600ff602c

SHA256
1ce0a51d56ccd15cad831ffc7dd654ddd5a5404894ccb697ba7820c41ee13201

SHA512
028d23a4b87aa4d718a64f2296f9198f432be12ad07e2da2c22270141a4fcfa9a718b275093ef938c0e6971424b6b8d624cec49c40fea55fc5826c7660bfe13e

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
64KB

MD5
828649daeb19f7e78590388981366794

SHA1
6dbdf8d2c174e1e800c4c5450101d47fafbe7153

SHA256
7e963ca906c815c7ad2ed1c14e8d60a30a20244772312ff02a975312c8b7994e

SHA512
1d02165f7268d7238ea0a1538f01093430e8bd34041520e19fb24a02f580d0a5477967fbb4fb9db5cbe305e3eca2ac9ec38522ea6e80c182a9bb650f60b2ae7d

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
64KB

MD5
3aba3aa9690b675154c9b557d0499001

SHA1
9b65bdd674d00a6ea1b53bfb0ca379625b13cfd4

SHA256
bbee405cbe37f126108f6ddeaf6418b4542494b7cb8f2d73ff8ab0c3976110e3

SHA512
47ebc5ae0e20a8ca0706ec5a3a50b33850d365b5f3349cfeaf1fc69ee2c2afcb13b054e9c2648b1dcc56327fa7862a08348daddca558485c08d257e0513eae15

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
64KB

MD5
a9dafd0dc04b5bfd4f8dadf3e715c807

SHA1
b885ec23c4b7781faa4a77e9affd979d8c49b88e

SHA256
515c072519ee043e4fc6e4e097dd8168df5e6feda171139d0c18f73a281072e9

SHA512
0fd7dc8040414fb2ebcf5557d27bc881e3970798c7d3b7999127c5bce668648b1e33e683a566613a800d669d3481ca7db6d7ee6f2cb2f2af49a24913f08f6d0b

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
64KB

MD5
34bc32ec9624c1228c7206527fd8f52e

SHA1
f0f925807e1a8bd0b9bc54beaae0a2238aa3a498

SHA256
ba4497f4534a7f696312ee7365ed9381cbe933ae1672f85c4b1ff7c225dabf7c

SHA512
938703d7c23b998c3650bf4ce91a56d42825c5567cba7b2ac87109ace58c678d8fb837879606b133fdd4f4c4ba5407b89428e416aed0124e98ce25168fc30bb6

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
64KB

MD5
1485d1a9b3c9c5db8a486b3af7886ca3

SHA1
a1202eca90090cff653ea164fc11187080402a07

SHA256
412b4bc851438c129453885043f7c8ee1fb128550c3d0fff7d0934872b4251b2

SHA512
49ad02242225e2413d611a29752f46431664cd865cfabb2bf94ecb53ad837d0248dd47b040babce5480ea94dd3b71c8bf8f01ea546896c11b8def4eaa459236a

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
64KB

MD5
e31f79c5694f457b7a0e403effab9ede

SHA1
f102b200323770fa46d9c555c583a9b90430ae5e

SHA256
cc6dee3c283e30e71f4534471645ac37015f761e517e76a3783772cf56c67d0a

SHA512
e83806570cb49eacde59ce0a6a56eef9e9a53d6f56eebc00b07b3be05a8674cc0d6b4cf7ca86b1e285659bef7536b8a9a06824e84fad0bc2a06cbdcdc4eabaa7

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
64KB

MD5
40db04fa4168fff467498f72ab1c34fb

SHA1
dfd84cbff5a78a2d5c8b6d4cc2dbffde64cdb4da

SHA256
bb99b265afd4e0ee0b91f127dfd4a7074b239fd50bda85ac5ad44239456735d8

SHA512
610059d04bc62c12c4d1f0f116fa386355ec798a99f1cfc1d3b100a5ffc30ae830efe04405ae34f8d92f752af295d4ea25caef356974b939dd5de0e5095fd423

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
64KB

MD5
6ab2cfbeeaba1d113f0406ee787f5f1d

SHA1
73f527d20a159564bbf7b808001b1d7b94507fd9

SHA256
4dec9bb365ea2c2e2958b2ed9d053e06c8b8964784f35eb4d63442e5855d215e

SHA512
a800029582a0368a32c69e5d35faf39a0aae75e590962ecd8501ad2d77a837fa6172d187fce20876bd052169705b449653d262b1ace0f31e3844a21489f3ea2c

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
64KB

MD5
65c06b76e08a8ac9dcf18092c2b004ba

SHA1
f971a39bead5b889173e3ccdae8caa86073948e6

SHA256
3f8c0ef29ee239f67218f7c559b9016f1ef09e3c5059793580947b48226a741a

SHA512
08bc6f099e2f8056f84e9c57b7262fb915edc8e727dd711e056e7fff1328273a57abff0efc149b3da7f78fb008932281b4977c0bd378951851a902e142b83e2f

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
64KB

MD5
73b4e2b887bb6b76dbab2034250b7b44

SHA1
66dc3b64bf134b4cfd5223275eff17247ae6ba4f

SHA256
63291f00b39071330e208c79baa10f59ddaa0854f7f0173c6348fa4ffc316467

SHA512
a396e5e222bfd92cd8f8afe836e1538b4c8d083e0a1c16bac528fa83cbab2dbfed7d3a86e7a7d050a46def357a05c5bf779b91b733627a51e2a37375d3bac559

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
64KB

MD5
6b7c862c206f6d88d4b1511fbc4fcf60

SHA1
121ce6fa52520fa2bf6086aa279c5dcfb86bd43c

SHA256
01e29c83acaa90821c6561fdf60d4a1b4d7d62fcfdadebf6bd38192825748b26

SHA512
03aca20e6243dd8cc239dc9696679e07f660521e880140066d475af46daa4b6e11cda23e73f201626a5661b5dcc4ec9271985f516856e4f3f8eae49ad87edbbb

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
64KB

MD5
f858d03f64c4cf4e717c03434820fb71

SHA1
cfa42ceef3a9caae3b460425e1a62fb0ff96146e

SHA256
b25124b7a2b35f4091d4b378ccd3f6199ab722e4d7c594480e54e3f3f7d613fd

SHA512
4c4e7fe3187067f94eb7913238f0c85ae9006576b7296e7fc1cedead6dd563546ffbd6965c63cd7a8ea78f13c5bff8e1bb112f9182b8697139e3751b293bf1da

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
64KB

MD5
06dee4ede901e350cbcaac0124da4829

SHA1
30e0661bb11a36c40c231eb8436aa63283e81c7a

SHA256
55d0ccd15f5adb5ccb2b27c1d3f5f1e1f9469eccf6ea2d7fa0aaf7bb637f78b1

SHA512
d33c9932a857594fb19d184c123faee36c742c97dd926dbea0b589d95e9749758088a51914bcfd0ebd713e418e62aef04de25564d8465b3d3f89aa5204c9f719

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
64KB

MD5
ce9280e883cc11f0288faaf72206e3b3

SHA1
bf05e86b7526f4a669866c0c126d10bdfb74151b

SHA256
4aa4ede6c2a9530e7cf3f05a4e5aec8d7e9fcbe0e7551d0673137bfaa3963f62

SHA512
8d18a17a19774ea45839dbd5b7a430c3fc9220fd116d99a4a52641efcf985366d6429adc19407d0d7c2584bbb299f2f113dff02b90a2e19b6ba651721665b473

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
64KB

MD5
12121517f2543cc015baafc8f955e051

SHA1
86ada7750cb2b46fee55f577c8f1f0537c76ad8a

SHA256
7a33d4b977be37b36a7b9b1e9421477a39dfc231ac2d47295c9f60636253d626

SHA512
3e0c0c88f5a4915e9cd80b9941a72f5fd6a71711ba050c820cd1cd9297d9bf32dbe41310c55ac8f3651636ec6420e456125d70588a7e0327a4e7d2c79695d8f1

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
64KB

MD5
c38454417e6884324f41ffd3330cc70d

SHA1
0ec71d9b3f0c7194ba5f5e63d8eb71a208de4012

SHA256
ff6c25cdc6c520d812f1a947cb6a1765ce5331312399d47de72530ac52ec0f32

SHA512
f45b59f5e671e9a2fcd1588f46e1c140ca0162b2a7efe4a12e6fababc518ad85dca42c0ac21b2a97a04f51c3129b5bce0bd9961ce0f0f18f59bce7ac9e45ca53

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
d65bc29ad70fcbd0b76e958230016396

SHA1
eea2a79086b6ab480e36797fa4f4cfcd2351b9d2

SHA256
eef9e07d5eeafd014e586c7cc9d22acc45e1aa8e1b78c101dfde4269acb79be3

SHA512
a2b6858dfdd5d095b7ead2d90896c52e7a26d2412c02eb3d80137bc0dd31c1cbe879b2c1fcb80c4e5c5824ba2491ebeecf514ab1a6ebc33e537f2a11557b0c35

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
64KB

MD5
601ae967dc1fb44ad8ca2af1e8577b3e

SHA1
14eeb2414d3f504e5342d43e996ffc5d5294be2e

SHA256
9505f513de4769e3318b5fd99998683e4e4a22dafb9c4192cc2cefee01a3caf7

SHA512
3274390aeaf8bfac83a9d4cbc93a6402c88298942abb2f13188f2e1627c76ee6255f088d0abc47dcc92ab102e6dfcd640430e681c454c1df1d5e0d0099579ec6

Download Submit
memory/208-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3572-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4464-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-535-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads