berbew | 76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe
Size

320KB
MD5

b56d8f361facc0c76141d5583890d57f
SHA1

677a66c0915ae70278812ba8ae6bf5177d7cf48d
SHA256

76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca
SHA512

a06d62968057f8f70516d565fabce4bdbc2d76a4b6f3b476cf249b84ff5d933d44eeecf390239cddc51fb100a306c493df6867e347c32f3e8bbd75bef8c5d124
SSDEEP

6144:cZrhRn3/fc/UmKyIxLDXXoq9FJZCUmKyIxLq:cZG32XXf9Do3R

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1248	Ojjolnaq.exe
2700	Ocbddc32.exe
4420	Ofqpqo32.exe
3688	Ogpmjb32.exe
3888	Olmeci32.exe
2608	Ofeilobp.exe
3496	Pdfjifjo.exe
4464	Pnonbk32.exe
3204	Pclgkb32.exe
3392	Pmdkch32.exe
3248	Pflplnlg.exe
3336	Pgllfp32.exe
3396	Pcbmka32.exe
1944	Qnhahj32.exe
3576	Qdbiedpa.exe
3324	Qjoankoi.exe
3472	Qqijje32.exe
4260	Qgcbgo32.exe
3724	Ampkof32.exe
5020	Afhohlbj.exe
4220	Ambgef32.exe
1544	Aqncedbp.exe
4872	Aeiofcji.exe
1552	Agglboim.exe
2160	Anadoi32.exe
3728	Amddjegd.exe
1412	Aqppkd32.exe
4496	Acnlgp32.exe
2304	Agjhgngj.exe
2408	Afmhck32.exe
5092	Ajhddjfn.exe
1472	Andqdh32.exe
1476	Amgapeea.exe
1720	Aeniabfd.exe
1628	Acqimo32.exe
2840	Aminee32.exe
3584	Aadifclh.exe
2252	Accfbokl.exe
1524	Agoabn32.exe
3552	Bfabnjjp.exe
940	Bjmnoi32.exe
1924	Bmkjkd32.exe
3784	Bagflcje.exe
4212	Bebblb32.exe
5096	Bganhm32.exe
4968	Bfdodjhm.exe
1492	Bjokdipf.exe
4144	Bmngqdpj.exe
3952	Baicac32.exe
3656	Bchomn32.exe
548	Bgcknmop.exe
5036	Bjagjhnc.exe
2680	Bnmcjg32.exe
5000	Balpgb32.exe
2648	Beglgani.exe
5080	Bgehcmmm.exe
5104	Bfhhoi32.exe
2796	Bnpppgdj.exe
5064	Bmbplc32.exe
2992	Beihma32.exe
4424	Bclhhnca.exe
1164	Bhhdil32.exe
3108	Bjfaeh32.exe
1008	Bnbmefbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4288	4020	WerFault.exe	167

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1248	3696	76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe	82
PID 3696 wrote to memory of 1248	3696	76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe	82
PID 3696 wrote to memory of 1248	3696	76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe	82
PID 1248 wrote to memory of 2700	1248	Ojjolnaq.exe	83
PID 1248 wrote to memory of 2700	1248	Ojjolnaq.exe	83
PID 1248 wrote to memory of 2700	1248	Ojjolnaq.exe	83
PID 2700 wrote to memory of 4420	2700	Ocbddc32.exe	84
PID 2700 wrote to memory of 4420	2700	Ocbddc32.exe	84
PID 2700 wrote to memory of 4420	2700	Ocbddc32.exe	84
PID 4420 wrote to memory of 3688	4420	Ofqpqo32.exe	85
PID 4420 wrote to memory of 3688	4420	Ofqpqo32.exe	85
PID 4420 wrote to memory of 3688	4420	Ofqpqo32.exe	85
PID 3688 wrote to memory of 3888	3688	Ogpmjb32.exe	86
PID 3688 wrote to memory of 3888	3688	Ogpmjb32.exe	86
PID 3688 wrote to memory of 3888	3688	Ogpmjb32.exe	86
PID 3888 wrote to memory of 2608	3888	Olmeci32.exe	87
PID 3888 wrote to memory of 2608	3888	Olmeci32.exe	87
PID 3888 wrote to memory of 2608	3888	Olmeci32.exe	87
PID 2608 wrote to memory of 3496	2608	Ofeilobp.exe	88
PID 2608 wrote to memory of 3496	2608	Ofeilobp.exe	88
PID 2608 wrote to memory of 3496	2608	Ofeilobp.exe	88
PID 3496 wrote to memory of 4464	3496	Pdfjifjo.exe	89
PID 3496 wrote to memory of 4464	3496	Pdfjifjo.exe	89
PID 3496 wrote to memory of 4464	3496	Pdfjifjo.exe	89
PID 4464 wrote to memory of 3204	4464	Pnonbk32.exe	90
PID 4464 wrote to memory of 3204	4464	Pnonbk32.exe	90
PID 4464 wrote to memory of 3204	4464	Pnonbk32.exe	90
PID 3204 wrote to memory of 3392	3204	Pclgkb32.exe	91
PID 3204 wrote to memory of 3392	3204	Pclgkb32.exe	91
PID 3204 wrote to memory of 3392	3204	Pclgkb32.exe	91
PID 3392 wrote to memory of 3248	3392	Pmdkch32.exe	92
PID 3392 wrote to memory of 3248	3392	Pmdkch32.exe	92
PID 3392 wrote to memory of 3248	3392	Pmdkch32.exe	92
PID 3248 wrote to memory of 3336	3248	Pflplnlg.exe	93
PID 3248 wrote to memory of 3336	3248	Pflplnlg.exe	93
PID 3248 wrote to memory of 3336	3248	Pflplnlg.exe	93
PID 3336 wrote to memory of 3396	3336	Pgllfp32.exe	94
PID 3336 wrote to memory of 3396	3336	Pgllfp32.exe	94
PID 3336 wrote to memory of 3396	3336	Pgllfp32.exe	94
PID 3396 wrote to memory of 1944	3396	Pcbmka32.exe	95
PID 3396 wrote to memory of 1944	3396	Pcbmka32.exe	95
PID 3396 wrote to memory of 1944	3396	Pcbmka32.exe	95
PID 1944 wrote to memory of 3576	1944	Qnhahj32.exe	96
PID 1944 wrote to memory of 3576	1944	Qnhahj32.exe	96
PID 1944 wrote to memory of 3576	1944	Qnhahj32.exe	96
PID 3576 wrote to memory of 3324	3576	Qdbiedpa.exe	97
PID 3576 wrote to memory of 3324	3576	Qdbiedpa.exe	97
PID 3576 wrote to memory of 3324	3576	Qdbiedpa.exe	97
PID 3324 wrote to memory of 3472	3324	Qjoankoi.exe	98
PID 3324 wrote to memory of 3472	3324	Qjoankoi.exe	98
PID 3324 wrote to memory of 3472	3324	Qjoankoi.exe	98
PID 3472 wrote to memory of 4260	3472	Qqijje32.exe	99
PID 3472 wrote to memory of 4260	3472	Qqijje32.exe	99
PID 3472 wrote to memory of 4260	3472	Qqijje32.exe	99
PID 4260 wrote to memory of 3724	4260	Qgcbgo32.exe	100
PID 4260 wrote to memory of 3724	4260	Qgcbgo32.exe	100
PID 4260 wrote to memory of 3724	4260	Qgcbgo32.exe	100
PID 3724 wrote to memory of 5020	3724	Ampkof32.exe	101
PID 3724 wrote to memory of 5020	3724	Ampkof32.exe	101
PID 3724 wrote to memory of 5020	3724	Ampkof32.exe	101
PID 5020 wrote to memory of 4220	5020	Afhohlbj.exe	102
PID 5020 wrote to memory of 4220	5020	Afhohlbj.exe	102
PID 5020 wrote to memory of 4220	5020	Afhohlbj.exe	102
PID 4220 wrote to memory of 1544	4220	Ambgef32.exe	103

C:\Users\Admin\AppData\Local\Temp\76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe
"C:\Users\Admin\AppData\Local\Temp\76cbc221f62d5c951abda27805790f0e792d889fb60fb2c02946335161c601ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\SysWOW64\Ojjolnaq.exe
  C:\Windows\system32\Ojjolnaq.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\Ocbddc32.exe
    C:\Windows\system32\Ocbddc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Ofqpqo32.exe
      C:\Windows\system32\Ofqpqo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        76⤵
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2244
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 416
        88⤵
        Program crash
        
        PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4020 -ip 4020
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
320KB

MD5
96a89c34b378465fdbc8e9b854162286

SHA1
57f7ed65d06f7a7670e100d0e7460f5939da8fd4

SHA256
2b17b8d5b3b77ff0c8b5f4b22fba73b2294d6b0e8e48adf59bbb4f5df0513523

SHA512
86bcc629c7df6cf8bdcd13cbc6b0eb3cc27f3fc66f409dac5fdc0bbce12c8a48c35398bfed754f2458b8824796f07c75ce253f1c66986a7ddcd51a4b91807350

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
320KB

MD5
39259d69ae031f08e9b38cee9ecaff93

SHA1
5d390d21028718076e1a9dd4740786ad67650fd5

SHA256
92965373e6550f5bbb6af2da116ac2a9204bf880cf2de296db258959e3f6cb9d

SHA512
1fffb92ea3ad985feb3ae3a9c1620a88513bf17eaa0a627c7175a7dc06013d004a57838a723ca1d2d7e5c87e32cac2f276a5735b86632ccd81506ea3511167f5

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
320KB

MD5
454f707d611d6b3d024025f01a11c961

SHA1
ee66f2117d6062a719adcc765da6ce9027c7dd58

SHA256
7a138e1c3b9581d49049a61161524047c9af7a5d0c9288b06381d1cdd944dce4

SHA512
e91dfa4592de8229aac21863b0a39b9c0a5fd39075165d7e4719f60e8a30beca853fbe32b9aaadcf24417fe96dc722a70a5208dd8d3857c0759d153b6e6aabb0

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
320KB

MD5
d177f3f4fdf2d6b8b78c45b0661709ff

SHA1
0162fefe73cd3c4f9605f2277e89dbc5fedd69a5

SHA256
6304cb5edefb1d87db85b3722dce3e198ac4e6874f03a1d0b83fdc1b5870b855

SHA512
12499d796a29cbd41c45e9c80de0e7b99252462ac2a88b46c72a2af1b591dd7c1b28d5749f193f4365eeecb74632fa601a2a5a19eba8f337c8077eb234fd4b12

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
320KB

MD5
b9be39ac1c36806ece06e4bd2d286040

SHA1
0e9c45ae2bb395b096342dc72f2d7a049559404e

SHA256
0c337bb56d3aaa4ceea12b9f7f415d38d11e6745cf8ae234ada581fdb4bad8cb

SHA512
7622fd2e5caba38edc463f35789ffbc93274fc2381a28233f72960f62ddb0a8406f854aaed6b532ffd3fc1cb9b9e3360b4e5b1c5262b955715f4acb07e9a9e6f

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
320KB

MD5
1dfb41e2067ff364fc438ea4b78d170f

SHA1
58e50d70c2bb682baab64a6c1a3f703ad2387770

SHA256
dae1ebc59d31463c61487b1a860e252eca3db448f54caa9754400c3d2a5e7bb2

SHA512
5785da5b0d74282c5c794a8f21670fa6121814871f770464af100418be7927054bd65eafa2c7931d8cd62efa7188d07b556a611268ea14ee3fc0e82e07a68ae1

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
320KB

MD5
893bb34745ff72a43ee57aa9ef10c3e5

SHA1
108e4021b100e380ae5c7c74ca25c92ef75cc6ce

SHA256
7bf4df83e3615582da74183f973fd908a4d9ae2ac22c3cd8ff575b2eb49d20ce

SHA512
8c7b618b963326f0dc28f82640576c8f33bf3d5a9ec122ee94a7cb7458c47e186a6ee049d753b6c5eb45c27394688b0085658f2fbb1999a1af37c386f09dab42

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
320KB

MD5
cae5dce81e2d3a3d11213a37c79eeaa4

SHA1
3b603a3a026c9ddece6d7aa1c8f827f87ad853fe

SHA256
791b6ac6fb3b3079b1f6e5d05834173611ca624cbaa26c1ba6d157bfea13eb12

SHA512
470cd54b0c365af060009c585f5bb995f110719a09ce6203190dca040e5fd16e1d851c7ef2e2c4886ea3b5157d3fff34e5391cba879823d2b165b35729ad1c11

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
320KB

MD5
285f50378ea1956c6b850be3fbcaecbf

SHA1
f9b7e27c97ccd395510ef577ea5ffd769bbd38a7

SHA256
c808a9bc1bfbc8e5cb65149efd3176d8a1b10400d6289d7b7cadd5f24c37c739

SHA512
40d26f092fc38fe3922e39a68b24c93c2f700a9c8f719dda2e0d5b3b6ba9065ea73dd1f285f4268553fe0a9a8c71476dd414d57bc31320aa3c676528ce1179f7

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
320KB

MD5
a6bbf31e8815f7583f19ed37a3306faa

SHA1
daa979836fe175e0f12980a5aa74cee3a8798e53

SHA256
6ad9c3a2b1e001f0d54607a51bc6fc669c4869a8b48a140a385dddc9404c00f8

SHA512
7f8f8f574a62ad0a71fd87bd4c71aa26d60726c53b7510e4d53409b8bdb090f8a3c9fa8f3b1792061fa15aec3b3d67e086ca4ec6bf6ca64522aebd5eda2cac2c

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
320KB

MD5
1e2f32dc15a7c1040a02ff136711cd01

SHA1
e2c0ca7daabc2f70e9304b51966bec41cde161a4

SHA256
a56e43a5e61fc3b177afeb5ad9196d557b291978dcdbc354e68e4da32466c525

SHA512
95b758b80303f5bc5325a158f48e12084bb045a9e005d2ce7b6e296468503724f7bccddbcee1dc9d7514c7a9b5dfd02aa531ce588e26aa4e18760b63d48c8a06

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
320KB

MD5
70791b375755a0ee647221834bdbaed7

SHA1
7c09ea78ff27883662d61488fe415a89d4b3ead7

SHA256
769c0b5d915eb559b9d1d3ae54d6ddbfb65fdb5a263379b946df7521006c8811

SHA512
45e52aacace0619e126742d046dbd922d52e5d90adf6c55e08be19742b7ccd5e09d7577bc7406081f2a19c2fc42b38567700b6c46230907679e2d02631a9e56b

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
320KB

MD5
cf3244f70463ab463f47bd9f5263e036

SHA1
412c88cb9e2eccb8473e97e341bd58a7fbea0f66

SHA256
9cb20e3057b6cfee5c9626d9b321e45ac404161a9dbb2a195832e776d5f25d4f

SHA512
206cf2c8c3f648e72f7e4a2b0b4e7da9038545b854edbcacbfbe59297955711992a632e946fd8c3009709ebf71a197cfd68e6acae0a461f8f5592128e16cfbf2

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
320KB

MD5
23af8e655abcce5aa6b2ee3269445d7b

SHA1
b498081d61204ee45ba4d23ba01417bd46abc374

SHA256
2d6624ef344579be179b1d08c7bd2cd17339fa343240ffca2c55b11b0a5d5b0f

SHA512
399592d317994996cbee75c4060044a28bd91e1e9b6e1964f190b0f47b608827668d47acd069f2dede2b8038952da7ebe974df7ac8e807716f4749de43b83041

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
320KB

MD5
b697acfa67f49b80c7d9d06a687e960b

SHA1
4a895b6a589baa70bae24739d052e4ffa46150a3

SHA256
262a4aa17fa3677a84d2dfd585a3824e08f542ae59dc185a6058adf8be35a6eb

SHA512
a9bfcb5de6653e62015a7f60e072e16080bc78e469c9074192999d191bc7afceaa7c4a6ac7aafab62f804c0c385dc9a5a48ccf592bed0da654d44e54e5f7223a

Download Submit
C:\Windows\SysWOW64\Jilkmnni.dll

Filesize
7KB

MD5
4306bf601cfdcc9e9334433e77f2abbf

SHA1
12d57629150517cdfef4f41ba2f3b0099fae40e8

SHA256
d24a85cd13c8c218e0746e24173df38a715935b5c0e2597e4b13cc088f00569b

SHA512
8468bb8cf389f660a61f770f2477195df51d46bc3f0295eba36749da5d9695282900bd323358be539760bdb7ba66b640541990188687f73d4f5c1b1274b2b6a9

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
320KB

MD5
3b8e68ca2317b1e6bcadb2c0e3d1677a

SHA1
c85621de3d825bf8562560e8e52428587727c244

SHA256
5e0aa5f7f1749618e7363f87ec3fbd63ac2f3002f64aa7a2c871b2032045f5e2

SHA512
af6f89b950bb9eb77e56b256f30ccf6dac4afb76f2a01da429347a63921033fd65bdb8127194cc425fcbf800d2983794c522530876ff60f0cf1967b488d1f76f

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
256KB

MD5
43d525bfbb0ef00b1c1bf95d323b3702

SHA1
cddbf9ddceb0d2bb9aaf72b74c8da572538649cd

SHA256
b7bf1a042d2958f67d15cd84b1cc5600f3cda5363a991f1e1cf0765c8af28e1d

SHA512
af751d3f91804c51df41126473a241ba323670351589bfd0ddef257bbc10ae0b9ea578aa5966921548367a58a02fb509f2b4f9a678254f71041c2552e34e897a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
320KB

MD5
da3177f01681bfc8f407c4b10a4a3069

SHA1
fd6f244e050137fc991c3a41cc0cd592a8168029

SHA256
f140937fd3c63b616e360e1ac459f8d45e8d763df2ccbd047db7d8e73dfbbc55

SHA512
674871e8fcdc7944271c2858699b800ca2ab982f8565308f7b5f50dc5d61340e46bbf6bf3eaf75a93feaaf2326830b7131117889873b10f84852aa0dfc44b204

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
320KB

MD5
0d1b474b252f58adff77c43ffe288c78

SHA1
f075d9b853e992d7714a9b1cedebab7d13910dba

SHA256
bed981c9407df59091315057177cad7580ee9ba691c1002151e38241e2bb1617

SHA512
7eef911313e07574fd70dcdfc43a8762a360b9f95ecc650037006aa80e95d89490981f2b53a63a7c946d243c94bd099d15c0f069581342b26bf1458694418ddf

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
320KB

MD5
b449ebae0202d740d930e540d4552b90

SHA1
2e955c8d943a8f87d6b6603a002bf1a76da6a774

SHA256
6719d09cb178a1afc0ff2244c9f2e9cd5ce9428c54f9badf380c740e8170add7

SHA512
9e18a8bb95b60cb7544b59305cd19f68339ef3623151157ec23a0b812834247c685b5866fb29a773348b97fa8883a499f9f08ef65a9bb105fd6cc825fcf27fa5

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
320KB

MD5
eca74fa14cee1f8a564252555fb3893c

SHA1
c758831260a62784cedd67a64780ef8bc64b4b9d

SHA256
92d58f6db2cc34b5c6649131972a545bc8ea5fb2f452cc2b02fd5d1bac92e58e

SHA512
870a72249ffd45cea89c5002948e5e6ef5f5e820b14a7b82de3c9b487cb19c6a49bdbd361eeb7352db766a88860ae2e72c04644ed2c556c0f9c0516c1e8e1211

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
320KB

MD5
2beafc0c7fdecb61684174fe1c9a30ad

SHA1
442f9afed9f2ec55bd319fe37565a1762e9a26dd

SHA256
17e83f5402ec483cf14fed54051cbc90e87f65bcfbf3af6225d1e16d7d57186a

SHA512
2fe4c2e3668950e0025d4cf14347a8cd6734dd39e4fcffae1d75e99fcc2c1d3fbcb75db609c5e77a56d36981cf480bd79929054fdcf9a55c922d964eb00532e5

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
320KB

MD5
26e3b3411a64314440bcc42dba7c6d96

SHA1
09135a7e57176fa8c0433b5cd7de99b22c5f08a5

SHA256
211431d332feba0c38c70f8b4c3fcea01d1769a35f70234cac467cc2762bc102

SHA512
eeffd2fd1c2096e9d9710a457baf21dbaebb64858db6b3a8ba2619e3596147eb5674deb64cb2839284181a6c6fbfb87c28f81a9df3c3686c9e87a0b71a78d5ec

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
256KB

MD5
4871536ebe3c4441bde37f97ec10a892

SHA1
bb0aa13490dc5dff5bf726c900f0739bf939d7ab

SHA256
84bbb5a5d80a50ecd70bec104b452c96efb7d5883e6ce99718a8e90d1106c5e8

SHA512
afc85dd329d7385abd07c4678f74782df043a1a6f86de38c612ec43465f51d925efcad13b87877d16d25fe9f868159fd99db6e362f8b48cb0ed41dcb8f3fea91

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
320KB

MD5
1bf1cd4c5932be815cce5505f7e48801

SHA1
6d79397ad03e56567ccee08083f6ec64df9dd97c

SHA256
370289e78a2fc354b9ede3af58678b4e8e60e42f405379d16ee008518892c04b

SHA512
5a7e0ca041ac10926330876380525e30de118d2725ef6357c4bd5d1e5520039a70401ff71223b70f19737004b00cccffba723fbbf6cb30ce158d7dd2a7cac8d2

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
320KB

MD5
cd302779ccdbc5c66ad60c85a9a7aca1

SHA1
4611b4d4b6ab917a378d64127c4fd2fe989a119f

SHA256
6a133d15cfb6ba56c92016d4510384cc32946080a2bdf052da0aa7723e13ba44

SHA512
b01723d193c665160278f40afa1dad0c34a877868c4942cbef013c4c3a750fc91c10726cbf72b2694255a6115c8818a346c17fd4e062341a8edd47ac3a5d8f15

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
320KB

MD5
d2f7887aa2f75336b696fec8750bea30

SHA1
cee62c2a4f028eaef14c3a7030c640e5e82688c0

SHA256
417b5199e03b8a88c0a07665b5e1a777eace1ce322734725514f929457338add

SHA512
7dd1572d62202c0466d3d8875a0e695a2d37e3e017ad9865b1e7d73aeedd24ffcab7532aaab7349f31601ab170c9ac0ce795219b4d36c319855592e6c078cf7d

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
320KB

MD5
357a38959ea68728a9aeaea15419bbe5

SHA1
23b3aca6d4e62fe415c693081bef3b2818a1776a

SHA256
cbed48972e6d3ab33913ac79288b6b2e7a349b18107951fb01d35c023dcebacb

SHA512
a5fcca41c89ee6898636329308f865f13216930a586af45356cedee3d799b960924d08b7ea63009e238632625843f7eca72b4fac6ad57b62343350bdd0641a5d

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
320KB

MD5
e3bb3ddc395cbdbd2623036c61dc64b7

SHA1
aeac02492a3c4180c7b298e219dee90a2a4c5942

SHA256
47f8dbd6a0b297ceac7f0e47f3a779ce4dbfe51ee50703c1146eb0496d6c3501

SHA512
47d143431b9cdba68973e40e202d105654e87fd2af6dd016657cb6536255bb96e02393f77b9b1cb98ec247225a3262c161c852efd65e5df1642d326484aacbf7

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
320KB

MD5
fe84c4e794567a5a188a311b28103bff

SHA1
cca5f177f74b6e8d25042ccffc2a15464749a360

SHA256
42c56a4792db296697d75ae7f94ea9f75a01e519281cc1ca92894807ca47cd00

SHA512
1d8a50055f382232356a866ad7ef39c8b19936b0d711b10bd7daa1dc39f3bfade0e2c6f64dd667872c7c9578dd13c2979fba524d9b401a51648f1c530323ea86

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
320KB

MD5
ca3b1ee058e9e7fa148feb224d32d019

SHA1
bfa9829595a094719238c88b754e090b2e14bddf

SHA256
5032345d4bd73388bc84a7130ebab583e8b68747451c57994164d973811ca259

SHA512
25ce17d7f681654e89278b11589d9575c5f0d2543d5e1f2fec4946abad54e5ab8c906fc6fb72b317ebd114f2b05252592cc88beda4086163c2d6665fc26f7ec0

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
320KB

MD5
85479a9817126838fd9534a0d509fa92

SHA1
9f69dfc625301975c5a49a2a95e79349e9edb2cc

SHA256
5be4a8fcc9b4150dcc3c6dbc2f969818a7652a995320df8135a3181d0edfbd91

SHA512
ccb86c5b1d3462e1cf57e1ba6f936f53c487dba5308fea92f61f34ef7679dd8a50ec117558bb3a8ff3d9dc807be1bf7085347019652b43bf7ad35a6d167fe2dc

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
320KB

MD5
fa3d702500afa0bd92943963294d6646

SHA1
6c8047accdc468dd174ab4fc0e5379535819521a

SHA256
4cd7fe491e0cfd8f58d009a18746edaa842140d1cdb7c953114d3b9d094fd391

SHA512
7da3d9eb5a32aff271d29cc42c8e934fe0df56b03d758f2027bf00ba84306860c4dec67d03b8ac5ebd33ce5ca01264b9549431b1ab313f2e2cc56eac94f937d4

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
320KB

MD5
b2a012bd330b1a5ec10a71876c2a5485

SHA1
a25cb3d99745474328ead1ae791bdd9661b69cac

SHA256
248a3a2907e4e32d77437001f863246d78c4e27d6e4e2fe2d49d520331ee79f3

SHA512
da8cae318dd7fc8b554ba7511a28933ebe1e85387bf3f15af1e27ec93cd6d0cc89b2772bcdf785bf59326bb840cdfaa34e38d83c3ba471b143173ae072fb2a02

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
320KB

MD5
a3e05f2ab75e67468c949f8c2f12743c

SHA1
048b7d3a0985a29493b886d67a8bc63f5c0e2019

SHA256
f54cc5c7de635035b62d49a83b1cf5f706465e7bb9d1320ce75e489e79127856

SHA512
c5ffa0267dddd85567b8fe9f46cec3b2e76520ddd38dfe072c123c73977cfb1c0d4f672bae7c1b07c632b98ae8855d7f6f711d73b1a0d1a60f597a6f73234483

Download Submit
memory/548-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/940-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/968-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1008-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1164-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1412-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1492-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1628-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2408-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3108-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3248-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3260-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3392-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3396-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3472-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-588-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3576-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-513-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3656-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3688-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3688-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3696-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3696-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3700-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3724-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3728-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4020-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4020-589-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4144-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4220-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4260-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-519-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-523-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-483-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-489-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4884-501-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5020-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5024-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5036-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5080-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5092-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5096-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads