berbew | 441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe
Size

97KB
MD5

ebcc70b7a528ae6dee5d9e31c686a8b4
SHA1

7d72b82158bf0310fce4927a473fd3fedb7204d8
SHA256

441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3
SHA512

9066780ac429afbe086b50d1aa2955658342f531e7cd7dda31416509cba5a074d24d09baf11ed15500d779d5fd35b37ddfc1f40a51cc0184561dc36a463208aa
SSDEEP

1536:RMSTouqqMifaRXC2PP2Rs8bjcJmXUwXfzwE57pvJXeYZw:rMuumaRXBP2RsvJSPzwm7pJXeKw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5016	Pnonbk32.exe
2392	Pqmjog32.exe
2820	Pdifoehl.exe
1540	Pclgkb32.exe
1076	Pfjcgn32.exe
448	Pjeoglgc.exe
4740	Pnakhkol.exe
384	Pqpgdfnp.exe
2472	Pgioqq32.exe
1404	Pjhlml32.exe
3520	Pmfhig32.exe
1584	Pdmpje32.exe
2376	Pfolbmje.exe
2100	Pmidog32.exe
3196	Pcbmka32.exe
692	Pfaigm32.exe
3792	Qnhahj32.exe
3108	Qmkadgpo.exe
2524	Qceiaa32.exe
4800	Qgqeappe.exe
3708	Qnjnnj32.exe
1044	Qqijje32.exe
1652	Qcgffqei.exe
2960	Ajanck32.exe
2452	Aqkgpedc.exe
404	Ageolo32.exe
3736	Anogiicl.exe
916	Aclpap32.exe
4452	Aqppkd32.exe
2484	Amgapeea.exe
4988	Aglemn32.exe
1912	Aminee32.exe
4296	Accfbokl.exe
3516	Bnhjohkb.exe
1588	Bcebhoii.exe
5048	Bnkgeg32.exe
3164	Bmngqdpj.exe
844	Bffkij32.exe
3292	Balpgb32.exe
2164	Bcjlcn32.exe
4572	Bfhhoi32.exe
2712	Bjddphlq.exe
4476	Bnpppgdj.exe
4936	Beihma32.exe
1224	Bhhdil32.exe
5036	Bfkedibe.exe
704	Bnbmefbg.exe
1204	Bapiabak.exe
3132	Bcoenmao.exe
1532	Cfmajipb.exe
3232	Cndikf32.exe
2700	Cabfga32.exe
5108	Cenahpha.exe
716	Chmndlge.exe
3488	Cjkjpgfi.exe
2124	Chokikeb.exe
3632	Cmlcbbcj.exe
4092	Cagobalc.exe
2320	Cdfkolkf.exe
4364	Cfdhkhjj.exe
1680	Cjbpaf32.exe
1160	Cmqmma32.exe
4604	Ddjejl32.exe
1596	Dfiafg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4072	4484	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 5016	848	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe	83
PID 848 wrote to memory of 5016	848	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe	83
PID 848 wrote to memory of 5016	848	441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe	83
PID 5016 wrote to memory of 2392	5016	Pnonbk32.exe	84
PID 5016 wrote to memory of 2392	5016	Pnonbk32.exe	84
PID 5016 wrote to memory of 2392	5016	Pnonbk32.exe	84
PID 2392 wrote to memory of 2820	2392	Pqmjog32.exe	85
PID 2392 wrote to memory of 2820	2392	Pqmjog32.exe	85
PID 2392 wrote to memory of 2820	2392	Pqmjog32.exe	85
PID 2820 wrote to memory of 1540	2820	Pdifoehl.exe	86
PID 2820 wrote to memory of 1540	2820	Pdifoehl.exe	86
PID 2820 wrote to memory of 1540	2820	Pdifoehl.exe	86
PID 1540 wrote to memory of 1076	1540	Pclgkb32.exe	87
PID 1540 wrote to memory of 1076	1540	Pclgkb32.exe	87
PID 1540 wrote to memory of 1076	1540	Pclgkb32.exe	87
PID 1076 wrote to memory of 448	1076	Pfjcgn32.exe	88
PID 1076 wrote to memory of 448	1076	Pfjcgn32.exe	88
PID 1076 wrote to memory of 448	1076	Pfjcgn32.exe	88
PID 448 wrote to memory of 4740	448	Pjeoglgc.exe	89
PID 448 wrote to memory of 4740	448	Pjeoglgc.exe	89
PID 448 wrote to memory of 4740	448	Pjeoglgc.exe	89
PID 4740 wrote to memory of 384	4740	Pnakhkol.exe	90
PID 4740 wrote to memory of 384	4740	Pnakhkol.exe	90
PID 4740 wrote to memory of 384	4740	Pnakhkol.exe	90
PID 384 wrote to memory of 2472	384	Pqpgdfnp.exe	91
PID 384 wrote to memory of 2472	384	Pqpgdfnp.exe	91
PID 384 wrote to memory of 2472	384	Pqpgdfnp.exe	91
PID 2472 wrote to memory of 1404	2472	Pgioqq32.exe	92
PID 2472 wrote to memory of 1404	2472	Pgioqq32.exe	92
PID 2472 wrote to memory of 1404	2472	Pgioqq32.exe	92
PID 1404 wrote to memory of 3520	1404	Pjhlml32.exe	93
PID 1404 wrote to memory of 3520	1404	Pjhlml32.exe	93
PID 1404 wrote to memory of 3520	1404	Pjhlml32.exe	93
PID 3520 wrote to memory of 1584	3520	Pmfhig32.exe	94
PID 3520 wrote to memory of 1584	3520	Pmfhig32.exe	94
PID 3520 wrote to memory of 1584	3520	Pmfhig32.exe	94
PID 1584 wrote to memory of 2376	1584	Pdmpje32.exe	95
PID 1584 wrote to memory of 2376	1584	Pdmpje32.exe	95
PID 1584 wrote to memory of 2376	1584	Pdmpje32.exe	95
PID 2376 wrote to memory of 2100	2376	Pfolbmje.exe	96
PID 2376 wrote to memory of 2100	2376	Pfolbmje.exe	96
PID 2376 wrote to memory of 2100	2376	Pfolbmje.exe	96
PID 2100 wrote to memory of 3196	2100	Pmidog32.exe	97
PID 2100 wrote to memory of 3196	2100	Pmidog32.exe	97
PID 2100 wrote to memory of 3196	2100	Pmidog32.exe	97
PID 3196 wrote to memory of 692	3196	Pcbmka32.exe	98
PID 3196 wrote to memory of 692	3196	Pcbmka32.exe	98
PID 3196 wrote to memory of 692	3196	Pcbmka32.exe	98
PID 692 wrote to memory of 3792	692	Pfaigm32.exe	99
PID 692 wrote to memory of 3792	692	Pfaigm32.exe	99
PID 692 wrote to memory of 3792	692	Pfaigm32.exe	99
PID 3792 wrote to memory of 3108	3792	Qnhahj32.exe	100
PID 3792 wrote to memory of 3108	3792	Qnhahj32.exe	100
PID 3792 wrote to memory of 3108	3792	Qnhahj32.exe	100
PID 3108 wrote to memory of 2524	3108	Qmkadgpo.exe	101
PID 3108 wrote to memory of 2524	3108	Qmkadgpo.exe	101
PID 3108 wrote to memory of 2524	3108	Qmkadgpo.exe	101
PID 2524 wrote to memory of 4800	2524	Qceiaa32.exe	102
PID 2524 wrote to memory of 4800	2524	Qceiaa32.exe	102
PID 2524 wrote to memory of 4800	2524	Qceiaa32.exe	102
PID 4800 wrote to memory of 3708	4800	Qgqeappe.exe	103
PID 4800 wrote to memory of 3708	4800	Qgqeappe.exe	103
PID 4800 wrote to memory of 3708	4800	Qgqeappe.exe	103
PID 3708 wrote to memory of 1044	3708	Qnjnnj32.exe	104

C:\Users\Admin\AppData\Local\Temp\441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe
"C:\Users\Admin\AppData\Local\Temp\441bcad32ce4f7e8d2e77f95dc1ede8566fcb245d27cfe89272fd84e475461e3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\Pnonbk32.exe
  C:\Windows\system32\Pnonbk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\Pqmjog32.exe
    C:\Windows\system32\Pqmjog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\Pdifoehl.exe
      C:\Windows\system32\Pdifoehl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        70⤵
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        80⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 404
        81⤵
        Program crash
        
        PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4484 -ip 4484
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
97KB

MD5
6d5c09eba103036868cdfb862d507706

SHA1
a982cfcf21a4eb24d50f571f60f330855377ba29

SHA256
3916d37b4fae36a50d02943937687067d54578ee37d7e40fd1e8ad36b635b30b

SHA512
e81dbaa4e8cf913b4e8d2844910f32fef9e1b9acb5c51a29a23d5a8143ba0c37133cbb25cb8f6aebf38fd1b53c452d23decd41beb881448c53cdab0d63e9fe56

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
97KB

MD5
9064f77f7eb79e27b9f6b9b7b68e9514

SHA1
0d924397d8215a69d8acd2b43967f9d3ae6088ff

SHA256
ffa69a65c65c60a216fadcbc46d4cc4f676cef98fa137fa8c0c4a443e988a1e2

SHA512
4a530bdc5f4d9a84f66c3853044bf820618215a8a0050c7b87190b3db2f55e106c83713ef3e9dc4e0bc159362b3a171e386d256a22242f0ac1e2600f9c20d1f3

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
97KB

MD5
9ceae5fefc7822cff507f72993917871

SHA1
e8ee7826466955b9e3af5499ddfd0ae8bc8cd69f

SHA256
01a82e08c10141e9c7b179660ba3332d17f64036860d15222af2fc5f40965c59

SHA512
5c4720e4d8687febc2ed5e5aa7529a2505f4ee3a3c5f5c995dc8e3ecaa5f000812e27b6885d2fb6a2a557a5e38092c6c63f877d99c68f8fb8543595538d76a5b

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
97KB

MD5
d5e22b44c73c418a31948fb2d2d203b2

SHA1
2b80839e111d5d07e09197e825b21efe9c1a1ec9

SHA256
a91d16b0ca5f9d23754d25588eaf198b35c34f956952349ab0ae4374a5efbff2

SHA512
96edc3cdd472104b0779a4ee1da27da8c6062e804cfcf7eed7f8516f2ad111d3af643f092e75b42df9d9d1f8a8dc700d1496d45b819107c505809b9a78fedd76

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
97KB

MD5
75e78514be2ec15f2501750bcbc88df2

SHA1
e2a9f839e74ac683be8c86a060c6f9d02ce9f2d7

SHA256
b7424a03b235bdabcf1f2f82ec3a8702f3fc18a508078415f9d1b2eff849aa4f

SHA512
fefea21d4aa16692de7f5efdb29a909fbbd2b6b6e93a818e48699dbba510abbcc758b383794f8f5f72ee29c92071602ab70aaef11555d04ff815ce1dcf02180a

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
97KB

MD5
b11703b1f9c1be8a30ddd93e6cc157c3

SHA1
3dc6d19ded3f25900493f6d3402a48f2e02e6530

SHA256
139671c0630d3556fcb7bb3d2d3d994ebc0de4ed1d48132c86faca39241e8220

SHA512
ae36a38d01ba4dbe01819a37c0446b964db9641e128b7f37edd0119019402e6284826ce8cf09a4d6a9ae053df4b38bc022e9f2a076583ae74a0063941f7a319d

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
97KB

MD5
59da8060a39421f3ee5f8d1716f9602e

SHA1
eb4a145d4a6a220c1591b672c5a021c6cf0c7332

SHA256
900c75728eeaad723e4e6420bc91fa6fc2e50e2d10a1fb4f0c390f0b630a1bfa

SHA512
1f7d71ae1b5e0b938c412ba53eb3c86941f9b853581da51855ac2710e8c35c99858d14edab889362da319cd2490c64b73d836d61e13db50cd4ab0e5fe1c4aa5e

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
97KB

MD5
101542a86241e792f592db0c977c8705

SHA1
03beed2fbc94d7cfb81ecc2058f65d6563d76987

SHA256
d308245cc4abd96df9d567556ce29e0c2b367d18a7d7db45a80dd3057ed7d358

SHA512
670c11919de7d01553d1be52f2590a85a1d4c0dd409fbdc08bc11dc6204bcee44c9365034bd2db405af9737f069dcc6f60a58d81dd37a4f6b1efd59555bbe8b4

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
97KB

MD5
8c91e53b52e9008b19e70144d43deece

SHA1
fdc2e6087cb8f6e5dec547ff20c2ed8a6686b153

SHA256
87df669fcdf614165e6fdfd35940068d1d422bb29f5c7e01bdfc8781e10e993c

SHA512
3480ad570706e47f34a5194dcf2e6b650629b73f8bd72feb3c3c1e36d26194df6536cf352f7318306c604d7f3ba2c655f43dc4f8409c602c047c19bbbaa8d00f

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
97KB

MD5
22056ff83f7fb1ffebc9522fd277a1e9

SHA1
9bd0f9561a47ac729c189feaf948d3852c9487fc

SHA256
6c8c3f8c4635687c7b113b1b9065d2af82c978a45d91007e446f0ab53a3ebd74

SHA512
f03e73ba1419624285c2e27485c8330377bcf400890fe233fb0eea0d634500dd5250522ca8a819019d4ab09092fd227d3a5734d3f6818f4df33ea65f92336b8e

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
97KB

MD5
6924f936de88420ee2106cefb481bcc9

SHA1
155096848b8cae4d6f7b8290495a400631dcaf26

SHA256
42ccd1d71c6a13b2dbb22c5c673cd6226ac2f905c5c26338f383cc4383c41ee1

SHA512
ff19ce2ed13310a1ad2377687243e05f51aaa6865ec8460afd581e7c90ebba9ca4062858008a1cb82cbcbe4934087a654d8373cd7ac3ecf0a8e83718262778a5

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
97KB

MD5
9490a147f7e01f721b25417f458142a4

SHA1
9165cea8ae4c7d365e733387c397a73391de0016

SHA256
81e4647d31db9b07769d778386e0a72f97ef070fda23e964230e031177a62f68

SHA512
2e7dd2fac919d59d63e15a990b6378df1480ff47cc9abfd6808870030cbbe1043b745d13a3d925a15df4ea155273fa5039acd58f7826431873bdf787eb5b8916

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
97KB

MD5
5b7c4c8e69e6226aacb755e1b898fcba

SHA1
66d38c3e2ae178a9b0884ae8b596e24c17a6c33c

SHA256
aabc53734fe285e322a9092a193a32e6c5373633c5abdce5db77585a2ff3663e

SHA512
fa4516774474cf44405da34f407e24aaf8cfa31c3634fc5c20e21c710cc3af322781fe1cbb50efb718d1538ff879d66b82373f65459b0cac85cf07e86f24f824

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
97KB

MD5
b94013dc1b17580e725466a263c89b38

SHA1
2d56e4dba1264710aeba24bb6fd80fa0edfe8c80

SHA256
f07b833f37a254b3b0ede37ea3864fa93ec4603b3e33a071c94702d7bb169a22

SHA512
207493b20c90c167b273216735b0417aef129e11e42468f052485aebb0dbd4690deb7e30672dcf49f283f794af0f524ba0e4bc329f48d45cc77c75d463dd5a38

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
97KB

MD5
adff61af145997b5e0659d3eea1de3e3

SHA1
f9b14dca48a076a2bae04d99fd215dd2726a92a1

SHA256
364428be5d7b4b40b4932065ac34dce39a7dd0aade24277a4c7ea6c8e88e6cc5

SHA512
b566edece9c448c349726748a9e492ffcda2d602f96d8ee4a97efb1949497ffc51eeacc76c64feba7a64d8bd415b38034bf02f11914eaec4a497ce2adbbf06be

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
97KB

MD5
04e345180b74025daa7ae926c7e91207

SHA1
5cfa39762e6c54090f1a1c75bc62a58819b29669

SHA256
30e150828e8e2ba1d909ddb22f3de28cd55078ed7808c807c9f4adeaddb13480

SHA512
3203d07e38934ef8f57025b40e89d12d92b0a22f6a3d4d52416f70b1639d7de70922b5e3f9f7d3e937976b21958081382d284cbdaca8951d6ca2c58059a46cc9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
97KB

MD5
b19421892bcc6fd84db76fe23fd45c2b

SHA1
266b6d16f7cca4dfd8f13b52dcb8b1c4c1dce7b7

SHA256
48f65f3f5bdffc6641b8f27edfc3b73cf249c437a2bad26689ede47ecef89b22

SHA512
9776004edee067a3f937b4f2e6ec332334b6dde395467f1416598935045f3eab9630dbaf54e86983ea1aac73579034f2e0aa3ab558131d78e6d57b83669f02d8

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
97KB

MD5
14bdf9801cecd37473b697797c797d68

SHA1
eeceb59ad1fd4fba6a26637196c48f0947e753f8

SHA256
d3a426597dfd2f10f26f4e2ab07d1ac199acaa31d555ad258c743c0f68c88887

SHA512
72641fc80893089497825b5413d0680566aa6edb04d76d32ba471a5663e5b2fc41825997083b02ad9f76c9d0e1f35436012c2ea7e3a4ce860d7bc9c50b89fc4c

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
97KB

MD5
95cbe8b7e1e350b29f435fb8ea22e1e9

SHA1
6fb879df5891c6a3573f45dcd895859148a1ae8b

SHA256
ed1a07a358b0c7a4f6af4e764e488637b362b65e10e05465ae4c30f5b849426d

SHA512
1fdab6fb55ff57b87782d852cc2c5309a850d188d65d42e03f2b39c7620c7c652bec685af57db8b63120d6359779fa698cfdda1f36129eb9911d6ebb2730fe62

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
97KB

MD5
bbd7071721c718755dfe01b4357bd2f4

SHA1
143fdfaea955f703cd17c5736edf5579d6439bf9

SHA256
c993c9e57ed2a8b9cd62fd4118c4f98f6247afdd66abfde3b34485fa3b8b8b4f

SHA512
827f72c93222a89554b901fdbdfa2d16e08b1e8a2980f57753def383f3d53b443c0eed02e194dff2ace3bc407062eb3bb6cdc74dbe18cf3e17d883124a327151

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
97KB

MD5
9dec9fd3532119eae870e487e18e9840

SHA1
7e1796e8a8db5edc00ccf3a3bcfc9e51a85461d4

SHA256
3c4af61c4742e98bc087bfd0be532dad78a4f9a402f8e06555a8af7b79950b4a

SHA512
e2b8313b49ce93d1740423b51395a6c336afd870c40bfd283b1b913e52a618a71d224f9b4c6b25e4be96df7137977ef1636bd6789a4297d9b715369d34327e02

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
97KB

MD5
5b105043597a06d2bd57de09c80fca57

SHA1
812bea392ab658f9af8e47bb28e0f012e1000d25

SHA256
41322c210da9bcdeff3c9c7e7005571d5cfb0f3434f4e70004fc5e5687fe769b

SHA512
75a1476703c8932be179307509157feef4bd9d13d8ab9950c04aeff7d17b36d051db1419319c2df420990c217b0d4dbd49fe5a0622ce872cf0e361426272c1e5

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
97KB

MD5
ba33f5b65d8194577a41f3bc6b11bc2a

SHA1
2b29cee6d3b0ceb4c16589c584b17500a43a874c

SHA256
418b07cdb67d43afd963491903dcc1724dc086b9f295d66dad9928e343bcb42e

SHA512
4d977eb424416550c3512490d8ebd58fc3d44ad0b61850adbbcf15e6f3393ac66c99edd0f6a0af3c87989a876ceb50105b8f186d15de8c1eff8aff81063e0d77

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
97KB

MD5
6e69ac6a90607c840f02760c672c09a6

SHA1
1b47cbd9bde234d9fce5bb43847218cf5082a589

SHA256
a4196a783652adf9fc11c6dc15dbb96fa9458d35bf0a6f6853e3d6c01fd2622f

SHA512
f9fd20f5f31997aa8986e0e52f62b458aee2969caf72ac0d72210e8637276812fe408bffe442bae23a97fc9fc119a8ef5d81635112b66bc89538e73c7f24f817

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
97KB

MD5
15231263d30ceb55fe72d4479dbf3c31

SHA1
da1d72b7c24404cd3e27bfa402ef59366c025c07

SHA256
8f0d1379007b0c36ed91e6a305c83b6cc5c183a8592b6629a08d83a5863501c2

SHA512
d795de63e1d7a592ca03fc9e0e1e0353c9241f6883a9ef890325fda9b85cbe6b776c06557be2b0aca506a36ba48f24706f45089540415f7888a167e9a4bd50e6

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
97KB

MD5
7d8ec976018ce156b0df4651abb12b57

SHA1
040454406a0df2b2d3169af3f186dd8a27ac39bf

SHA256
37ec7e4174284d17145f8985a90040326a40a5aead14ad52589dfd80d239f9c1

SHA512
3b182b11246680953717508bfc5733f42536f0175be4c5b8d25476cc6b0edf2d788357297779bcb4a8ca01f5dc93dfbfaf7a567885a2f706befa5d3ea73f6378

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
97KB

MD5
24202cb761fc659c920203c926dbccd0

SHA1
19c94a2e15de182d399fc97705f61dc8c9815dc3

SHA256
d5bb7cf3427f819efdb831c6e9e2f1b2a2237fc1cb6ebf4055249f7e4c4af992

SHA512
37bbd3c558c2d5ec053d1c1a7d074fbfc6ad06d50178bc35fa0fc69a0dbe202026e3dabe0ec32adcdc972333bd7bd154aa7081b7f9e2a0a735727c33d2cf9165

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
97KB

MD5
ef63d28e74bcbcbcdbdae39b97944366

SHA1
8a5535212d3f792e8467e6c62898f78c4d391f8b

SHA256
9179e5548279757838d0866108c794c06818214fbbe38e67e05bfaca5792c3e4

SHA512
060dedacf0cb4c11ba134a028dcd24f10797a4db39fc9f5013423d4ce16713f4e243fbdd5f122dec0a703a445bd9c4be866dc002976cc587a4f67975cfc3604a

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
97KB

MD5
40d057f8001330acd6f585676e1142be

SHA1
23fa4353f8329875b0868d4db1e590f415622ae2

SHA256
51028fa54efbae3222419a7140b1e8cd3df395ffd4574a985dbe21fd00326ae2

SHA512
7e38669820649c416952dca415601c96e12b5036f0f75efd4314d0552caab4ae19a3f0c40a768a71f79a5347033dfffd9dd67c5b08fd1b9edabcd3b6f706ce4d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
97KB

MD5
a90acc3b828c3f1ae200fcb26aedb261

SHA1
40a9e00bd4e6af10d1f18ac24bc50d32b46bf673

SHA256
58e071ef58ff27740fa2bbd08e51f66c8d9287f316feb4de47cc3de96a444073

SHA512
274bb6bc213810d14a06a97ed00790a3ab7b2ff121e91940d70d7a2d3e84f84f431d246a3d3a4c74fdd1cd315e0ac7647c1faeab26511d49fefbd6e3406b7368

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
97KB

MD5
9fe2361749bcaa00e52efee7b807a87f

SHA1
10bf22b26f6d18cb77d8b00c6ee1da57e9d83585

SHA256
802a34515042cd64baddc6f42b382a833b36d4911b90e074441d89aabcaae5f2

SHA512
8a1ee45e7fec63c18816735b42df189db05791ba538d49cfc61fb974364aded0d7c4c3290c1fe0efb974be7d67344f01536ad46d8e94eb7c994802c109cc0e4d

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
97KB

MD5
7c7bb5de0707414b25b9157dbd640ea5

SHA1
d671e7e21b6de49a9a867727e9c24ed6367f3c49

SHA256
578548f50018787765b3c6f0d0c681851d1be58f3223eaed38bb5cf731ab389c

SHA512
312097106b9e7151f53fb870b3296f3b0c9ae22db8ce88164a906534fd597bf9882940c2ee6ba0e6d323dd5f66d330465c61bb26130b8ef1dec9746415cc7fd8

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
97KB

MD5
7eaddff4834c86459d8e538320e9f388

SHA1
dc64165dd6689d80d316b39840a936ae7ff289b6

SHA256
01c332b44fc99d40556b0bb906d9a6f8da751d943c1a0ded913426b59165bc45

SHA512
e80a84a01a75dcbf8d771faa77fea6ff5b52cc6b4cb2912942540b03911e95a80545d5e8f0b0aa7433edf436b450c8083e79b31cfa4765771c69bc1270fedb91

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
97KB

MD5
5c7d03a688d01f10a706013f348ad79b

SHA1
ac4825720d71b9513f71dae956867742dbbb274d

SHA256
e952c7bbbf4523b7aa3974ffa1ed90de7502bf791673bf554ad78a87d242d092

SHA512
bf6ad788101d5bfc988ef7f3d781c7c7a1074a772fe2d81e4dff0d713ce0a62eeeba15fe8fbda35fef9c62e915a5f7ca5960e4e3cf8e0105047e874779437f4e

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
97KB

MD5
6859c2300fc128bd3c68f9710214b6e5

SHA1
1ee97e4215ead10d7dd544e19583682006abed02

SHA256
e8e57b0ac5e6b076a4b8f8976fd2fd88f0b3aaca5cccd08196543076f0d058c7

SHA512
3dc25c35f38d1b3141f4d11cfcab870b2379e3b3810515107e2fd27f3ac9e5da609793ab45c7b8348f79c2805dbc7da6ac7e74169245f7d877fa3a7a1362e0c4

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
97KB

MD5
d75ebcd8570fe7ee95cc2e0933a036cc

SHA1
52de4ef3c29f3971e6eaba158f98420d9cc66d81

SHA256
2c1fb0c65e4ad6ed4a7a68875b15e7a3cac8c7bcc54875b1657ab988bbf1fb22

SHA512
75ea4e2a9fb34445efbd953e1c0f25a0ef4ed8e3d0461343a5476ad97f5facd8163b70033fe4338916449994207b8d29ea9e585fedabf74bcb0778cb8f004d4f

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
97KB

MD5
c85dcd3f955eb79286de2bcb8e8fb98e

SHA1
2e0862de3f89bfa281149005aad3154ce1726e8e

SHA256
6445501c8d9d30d89813e43ee93a482887a5f2392ccbbbd1210732d08c50713d

SHA512
74e4ab324550ddebebc6e52bed38b700dfcbec8c3230b4034df9240677dd6f34c68683a6bf80e6bc9fde6acb8131edc2d199ed6aad26650cabbde6170de31b1e

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
97KB

MD5
97c723e68b3e2d47adaf4f8bd6e17aa0

SHA1
3f86ddbb38b67e4e64b76757a1addbf008c74e3d

SHA256
dfc1c7b0ef52daf78f318c9cbba030f48dd744480025673648cbd078d4763cb5

SHA512
7845b4b2205cc7956b95b195170f6bebdd4fd89759117cff35c20e57fb91a9a844a248b82d0f4e957dd806b038ec3d40f8f7e312eaeb4ecae20c11aae702e079

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
97KB

MD5
33bc893927f5d808f8f48fbd5fbe12da

SHA1
9ccae458df74961b4e4f6ccb1627b8eb6f92c5b3

SHA256
d9e8b1d65003607927e0fdb51ac630b0366c25d314837c7a4999c181b1c0892b

SHA512
2c162c22e17149ee3bfdec6a9c262b881411314e6e4051f419e190694f6ebe16d6d935f309ec7ab0c01d4e808868d0e19ee6a0c76af3300c7437df1c5380e7de

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
97KB

MD5
3b6781bc3e855c0935638179237d6cc4

SHA1
e6021fe1aa58c47b8213cf066239ada779491928

SHA256
70e6149b7067228a687023624f18473f22dbb3dc8ea50fbaa159c22806bde784

SHA512
4c58d227bf7bb9ac8585b1b9a486c468bfdd71472092f9b174c53f53b6852ae3c3d18c7789ec61998a8b3df748de20b3b8456eef8bfb51466ad52b3308bf5ff8

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
97KB

MD5
9ef481767ba591a9782d6e19df10ced4

SHA1
c77b2c221990b2cc3647c932f8cdb8abfbe2e41e

SHA256
6552f7b7d7e3919b9db64b17c0fd46cce61ccfaffa8f6e611ce82a22eb65e53d

SHA512
a8628e0093741b99380e98c1cc232725560fa29fdf2618ce5826e1d6ab7ca31a19f88d9ef16f19f18599f5c6fbf177e488f63ab9b6d2959e59b5f19a5e94a3e8

Download Submit
memory/384-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/704-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/716-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/844-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3792-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads