berbew | 15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe
Size

352KB
MD5

f95667db88c5237e188efa57539859e0
SHA1

bfd4c6b2bd0a9f475cc19ac31417261e7ff6957e
SHA256

15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05
SHA512

09ae2430c2301ad25c98a0bc894ad86873d7e2bec80805a63499cb556d752be3d478db1504a66821846f8fb2a56a4c6815e320aa5ae2c26784227c8f1f7f8613
SSDEEP

3072:Wv3mOqWTaMPKM1FjOJF4EISi/i4gG4nv4H3EzkGSaXiT+9S+a1+s3wNxn:YDqWTJP1Fg4yjwHL/T7Gsyn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3200	Pcncpbmd.exe
2556	Pmfhig32.exe
3516	Pfolbmje.exe
4952	Pdpmpdbd.exe
4232	Qnhahj32.exe
3284	Qgqeappe.exe
4172	Qmmnjfnl.exe
4700	Qffbbldm.exe
2120	Ampkof32.exe
4444	Adgbpc32.exe
1320	Ageolo32.exe
1036	Ajckij32.exe
4948	Aclpap32.exe
4768	Afjlnk32.exe
5104	Amddjegd.exe
1068	Aeklkchg.exe
4632	Agjhgngj.exe
3620	Afmhck32.exe
1676	Ajhddjfn.exe
1696	Aabmqd32.exe
4792	Aglemn32.exe
2344	Afoeiklb.exe
3180	Ajkaii32.exe
3588	Anfmjhmd.exe
3960	Aminee32.exe
1892	Aepefb32.exe
4404	Accfbokl.exe
2380	Agoabn32.exe
3976	Bfabnjjp.exe
1944	Bjmnoi32.exe
1160	Bnhjohkb.exe
2520	Bagflcje.exe
228	Bcebhoii.exe
1232	Bganhm32.exe
4280	Bfdodjhm.exe
952	Bnkgeg32.exe
4160	Bmngqdpj.exe
4436	Baicac32.exe
1364	Beeoaapl.exe
4388	Bgcknmop.exe
4536	Bffkij32.exe
2912	Bjagjhnc.exe
4684	Bmpcfdmg.exe
3992	Balpgb32.exe
1316	Beglgani.exe
4992	Bcjlcn32.exe
3612	Bfhhoi32.exe
2384	Bjddphlq.exe
1260	Bnpppgdj.exe
2056	Banllbdn.exe
3204	Beihma32.exe
2676	Bhhdil32.exe
4020	Bfkedibe.exe
920	Bjfaeh32.exe
2332	Bmemac32.exe
2940	Bapiabak.exe
3956	Belebq32.exe
1444	Chjaol32.exe
4088	Cfmajipb.exe
3756	Cndikf32.exe
4540	Cmgjgcgo.exe
3628	Cabfga32.exe
4040	Cdabcm32.exe
3692	Chmndlge.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5740	5560	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3200	4052	15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe	83
PID 4052 wrote to memory of 3200	4052	15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe	83
PID 4052 wrote to memory of 3200	4052	15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe	83
PID 3200 wrote to memory of 2556	3200	Pcncpbmd.exe	84
PID 3200 wrote to memory of 2556	3200	Pcncpbmd.exe	84
PID 3200 wrote to memory of 2556	3200	Pcncpbmd.exe	84
PID 2556 wrote to memory of 3516	2556	Pmfhig32.exe	85
PID 2556 wrote to memory of 3516	2556	Pmfhig32.exe	85
PID 2556 wrote to memory of 3516	2556	Pmfhig32.exe	85
PID 3516 wrote to memory of 4952	3516	Pfolbmje.exe	86
PID 3516 wrote to memory of 4952	3516	Pfolbmje.exe	86
PID 3516 wrote to memory of 4952	3516	Pfolbmje.exe	86
PID 4952 wrote to memory of 4232	4952	Pdpmpdbd.exe	87
PID 4952 wrote to memory of 4232	4952	Pdpmpdbd.exe	87
PID 4952 wrote to memory of 4232	4952	Pdpmpdbd.exe	87
PID 4232 wrote to memory of 3284	4232	Qnhahj32.exe	88
PID 4232 wrote to memory of 3284	4232	Qnhahj32.exe	88
PID 4232 wrote to memory of 3284	4232	Qnhahj32.exe	88
PID 3284 wrote to memory of 4172	3284	Qgqeappe.exe	89
PID 3284 wrote to memory of 4172	3284	Qgqeappe.exe	89
PID 3284 wrote to memory of 4172	3284	Qgqeappe.exe	89
PID 4172 wrote to memory of 4700	4172	Qmmnjfnl.exe	90
PID 4172 wrote to memory of 4700	4172	Qmmnjfnl.exe	90
PID 4172 wrote to memory of 4700	4172	Qmmnjfnl.exe	90
PID 4700 wrote to memory of 2120	4700	Qffbbldm.exe	91
PID 4700 wrote to memory of 2120	4700	Qffbbldm.exe	91
PID 4700 wrote to memory of 2120	4700	Qffbbldm.exe	91
PID 2120 wrote to memory of 4444	2120	Ampkof32.exe	92
PID 2120 wrote to memory of 4444	2120	Ampkof32.exe	92
PID 2120 wrote to memory of 4444	2120	Ampkof32.exe	92
PID 4444 wrote to memory of 1320	4444	Adgbpc32.exe	93
PID 4444 wrote to memory of 1320	4444	Adgbpc32.exe	93
PID 4444 wrote to memory of 1320	4444	Adgbpc32.exe	93
PID 1320 wrote to memory of 1036	1320	Ageolo32.exe	94
PID 1320 wrote to memory of 1036	1320	Ageolo32.exe	94
PID 1320 wrote to memory of 1036	1320	Ageolo32.exe	94
PID 1036 wrote to memory of 4948	1036	Ajckij32.exe	95
PID 1036 wrote to memory of 4948	1036	Ajckij32.exe	95
PID 1036 wrote to memory of 4948	1036	Ajckij32.exe	95
PID 4948 wrote to memory of 4768	4948	Aclpap32.exe	96
PID 4948 wrote to memory of 4768	4948	Aclpap32.exe	96
PID 4948 wrote to memory of 4768	4948	Aclpap32.exe	96
PID 4768 wrote to memory of 5104	4768	Afjlnk32.exe	97
PID 4768 wrote to memory of 5104	4768	Afjlnk32.exe	97
PID 4768 wrote to memory of 5104	4768	Afjlnk32.exe	97
PID 5104 wrote to memory of 1068	5104	Amddjegd.exe	98
PID 5104 wrote to memory of 1068	5104	Amddjegd.exe	98
PID 5104 wrote to memory of 1068	5104	Amddjegd.exe	98
PID 1068 wrote to memory of 4632	1068	Aeklkchg.exe	99
PID 1068 wrote to memory of 4632	1068	Aeklkchg.exe	99
PID 1068 wrote to memory of 4632	1068	Aeklkchg.exe	99
PID 4632 wrote to memory of 3620	4632	Agjhgngj.exe	100
PID 4632 wrote to memory of 3620	4632	Agjhgngj.exe	100
PID 4632 wrote to memory of 3620	4632	Agjhgngj.exe	100
PID 3620 wrote to memory of 1676	3620	Afmhck32.exe	101
PID 3620 wrote to memory of 1676	3620	Afmhck32.exe	101
PID 3620 wrote to memory of 1676	3620	Afmhck32.exe	101
PID 1676 wrote to memory of 1696	1676	Ajhddjfn.exe	102
PID 1676 wrote to memory of 1696	1676	Ajhddjfn.exe	102
PID 1676 wrote to memory of 1696	1676	Ajhddjfn.exe	102
PID 1696 wrote to memory of 4792	1696	Aabmqd32.exe	103
PID 1696 wrote to memory of 4792	1696	Aabmqd32.exe	103
PID 1696 wrote to memory of 4792	1696	Aabmqd32.exe	103
PID 4792 wrote to memory of 2344	4792	Aglemn32.exe	104

C:\Users\Admin\AppData\Local\Temp\15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe
"C:\Users\Admin\AppData\Local\Temp\15615683a74b059cde3c653f7dc7bee021ccf1a27374e6dad4980d7648030e05N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\Pmfhig32.exe
    C:\Windows\system32\Pmfhig32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Pfolbmje.exe
      C:\Windows\system32\Pfolbmje.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        23⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        39⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        67⤵
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        75⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        76⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        91⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        94⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        98⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        103⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        109⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        111⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 396
        112⤵
        Program crash
        
        PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5560 -ip 5560
1⤵
PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
352KB

MD5
f425fc72094c795c16f601b5710c7cc9

SHA1
ebdf3404ff1cca7e0b37909175c64c44f62f9abc

SHA256
81282403bbc777c52629d559c94c5891c752d84998fb3fa8f15e2f82098e8505

SHA512
0d1cd8ab9924b6590b140995a0f9bee0b5d60d0511a6e49cc2b61d77687a93976bf8857eedbc4ceb6633da6d991d335c6b85a616a1886be2fdf92cad73b90ac7

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
352KB

MD5
032beee912eedaa39595eb0c5a3bbf16

SHA1
ea861a426238a1a87400e6beabfb0fd075dc34ee

SHA256
8d465e2a1410a2ed635f8bbf573f6f16e1e716cdfba1d4d881c84a54631fc6fd

SHA512
c6427db72588a260ac095cbc804a1081f1c7f41ca8abf7e44d2f44e9b3d734a6ffc1257eaf5d12b4d6b04e0efc5f861a18b9e08a1d902f9cbc0fbcd7f8d89c3a

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
352KB

MD5
7d5364da6e2b9505720e41117600a3e5

SHA1
c78eb5396f6b55f5244d1545046ddfa5ce6a0fef

SHA256
b6e0142c565dc9e509ac5f76aa7f006915ba9dd8ba71d6a1b363795c204bce0b

SHA512
3871cfb695d890abf7153fc5968507566702ae6810e5031ab2bf21e0ae77f1fc04fe438c3114458cc371a9103e456b01a75560b019f996f6d7523252d9f7d2c9

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
352KB

MD5
4cacae859dbb93c6b164ac12c67fb5e4

SHA1
7926e3e16d1c06da2af0a3ad906a2ee7ecc2bb32

SHA256
b6a10e1cc54174744950013183816fa5c4db83b15770197affbc36998fc5b890

SHA512
7b97d35a5d1a3651c2c6b5083ce4394f59f846eb6e60ed1853b0957c3138d0d72851c4df5d3cf0b8dc36fba585ac7e54d088676058b3e43f8681ca8a5488d4b5

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
352KB

MD5
e6c15112022d369068ff79a8bc2c2cdc

SHA1
bb2be3f90abb4342040ea1bdda16e2dd1624e501

SHA256
a8f0249b9a9b0cab47bcb21bfcae56f454f6a51ac39f56dfb35ec58940e9fc33

SHA512
0176ee0d223d3d0d1b9b3ae87f305378dc9b237e3a0176261195d6b92a7cc5bbc21b604315b977344de426d3d7bbe6368b679da6f3a6dae3d2914238333d9292

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
352KB

MD5
3b4b8eec60661f337c7ad76cccc75501

SHA1
1999e6872fe1cb119778de9d6aeadeb330ef3d8f

SHA256
e880c4b0289cb73860757bc7ff497545158bcee1288e0f27e2358d24fba2e4a7

SHA512
7d1198e4a4da998bef1f47ffcbb8acfa8ca7baf6ed821f27e3a724b595100caa870bc4f13c0633891c604b142f3e36bb2d50c2ac745c0110cea671191f620495

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
352KB

MD5
eb670b84c1b78e13362c2e4cd49932e8

SHA1
2fa610adb6018c7b4aaa7eede235dada03a7433f

SHA256
d965e9b26fd65326d4c63eb9da65c4d28075b7917abfa8a9c5c092a1b12407bf

SHA512
8c5e1dd5aa8925eed3faa95cf65fbc2a9b9e5ea6d598140712706cebc34cd05ac566616857597220b87b854d9abe5bb311d2d2a9a490d324f4e367ddb5455b84

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
352KB

MD5
2021cce0cf3e06feede2ac23823866b0

SHA1
34cab5fdafe9c7d726a7666eaa14b9b7b5e19c4b

SHA256
2e93f271d5279a7ebb9c068b34c4ab6aedf5a504a215b704c1b2bf9259069a2b

SHA512
775a5ed9819367c99b0f677c9f3b9e59a3f21f74601c16048a2d73237e63a5efc4a8db55cb598e66adf687a1cebddc46390f3b54f91ed26ea97f5e5e6432842a

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
352KB

MD5
de054bc9253009839192c2616e7f2e53

SHA1
930d8851bb36ef6691c551c5bdeeaa4dd04b2bad

SHA256
3aa5c42bdb51207ebbbb7c7c931b720c66c757c3a70b61bf4f61b0486a96a938

SHA512
cb37326f64f02ee1a9e4efa56d4098926d43b04729dfdd84457d7c97905d1dc512c5b5fb9ee12876191a0843afdffa8346008f6f5e1d4b7182cfb4265238aff9

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
352KB

MD5
2644838974386edd45fd43f05f4fb42a

SHA1
b1c4090bd0097569973a0450887bba81384bbd56

SHA256
4ccaf38d9c61a2a5150c7ab7dfc292c953e769ef729aa97a47ad3a69129ab506

SHA512
a83d7fd3b62c747369a458859a958ee2ef76a42e47ac55ce74d8df4d9cfab2b65df76f6014bbb606f4081e8e28d64ae2a529334a578dd18db2acd2e77116b48f

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
352KB

MD5
01da7126472209688d998ff16a8d527b

SHA1
5409202eefd14eae7d26b664e185ec1c908900fc

SHA256
609b3df0d6c8d849e8b9a43553d19433385e52569e66520e9f5cc3a5998b3faf

SHA512
d4046c0f8f2dd78defcd8b083dc0d328824319667aaaf320b569408cdb6b5bfbcda49e50f595d53a6b791ae27350971cd84baad91302160946cf49f934aaea52

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
352KB

MD5
0266b14c6b71ce63b830389e010ac90f

SHA1
5624ddb34c754ec84c9c4fea7961a2367eb927f9

SHA256
a7ee98a272f1b94fec2f82f6730d4ee67d37c3caf5ef3b48e588d78b2007ac3e

SHA512
2cfbfc32375fe9da5d86f31b7ca007985e3dcc617b04753bf70b0e2105f72e477e33a7046c761f613bde46f95882082fceea5d2b8e7f792fb2b4d999a60c69a0

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
352KB

MD5
9060d5b87680be1fe9d8a9748caa4eb4

SHA1
b1b8790b54e8f4a3feb1850ddad5deb827f7664c

SHA256
d5024400eb252a59f350f2a52c7f875c07cdf8035edc6a9136be30c267456300

SHA512
76c6c21f1392a713b4ff696b078e291c8b63f749aa9600498d35894b5fa0991f69214ed33eed6485666b3c9cf5f6f3d359c4125de0b12a1fa706266fe01894cc

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
352KB

MD5
1e702570a90056dc8ccbdb12e3cf66e0

SHA1
09617f7247041dee13da19d2832516f5cf46167a

SHA256
b42f769ad85d53a4864e779e73cb18fc1c61a52cb01424706894eba83c4517f7

SHA512
27e04fb66c60b556420e8599dc08fd013a94be4f7868a7b6482df1555882af9892702a68e83c5db80a0b61d9b29c104f99fc04900568731190bc061619fd5273

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
352KB

MD5
98a2301b632e73e76bf3e9c276a85030

SHA1
9f20dd5aa3ac710186585cdf22b307f0c0a849c6

SHA256
28e203388c648b63f43ef85944714850ce9aba087f692500c00eee3bcbce5501

SHA512
00dff3fcb532cdde0c91e8a0ec19f2a312a04dac2277165359175efd589dd1efbad54fa6c2859287e299b049e5f00d6fa9eef371b90be089b7f1de4edcfeccdc

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
352KB

MD5
38144ba30dbe18b6860e0a7d81422133

SHA1
87249bafbca5167befdbea9e019d4c670baa842f

SHA256
d067d9345e2ea61d2ac6bae6eb8e6b4dd5f7840cc6c43ab33b46c0a9141d0d74

SHA512
2cd703585b110eae518ec90b32af4e7c8ae0ee3b5d4c4c9cc439f530d5ac4cc145105b4a34b0c3d2cf22e9c7c5b575f9b8f06c1f7a1d1d8a9691fe89667dda4c

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
352KB

MD5
43c289c153fbde7aefdba245be3239d0

SHA1
e3eb5f3726ff3dd95bb13eacb2e791a9f94f764e

SHA256
7ff42a88e1b0f2ed8bc8f3bd94a7e05df7d816487ba5172d38459bd263f94c78

SHA512
51c3b5452b08da7b35186b55d7e5329addd21d9f6d15c107cfc233bd79e1055dea75b88f24910b49728429feec9cc018ae8f5261e1c4e7411c3c9da67c41904a

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
352KB

MD5
26eecbc0fbe3339de05a83b8ccfee500

SHA1
a7e4b65cf8547b5883429b332e725a337f85dfb2

SHA256
77a8c7bab2c2d8cce83014f1a7d034624705c60e04c51beaff62a8348c7e14cd

SHA512
fc24399275847f9ccfbfeff803edd4ad9c6fd60c948c282ecad4755fba2c6af957d4b95d0f7dbb6ded8e8335590b2be90e49ce4b8dd242dbf01f18c852c14153

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
352KB

MD5
35a62033b20fc86c7b5bb314c1c8ded8

SHA1
1bbb7fd155b72a43c310909332f0ba570fb8edd6

SHA256
25a3db1f7192f07af8b4f17ee7405031649763d49009203c648a5054f5287e5f

SHA512
79fbe30076f5134339f1075a4e269ba4004d0d67534f6931f97b08c6f1ef2a6d4b654d77f8278f7b1b3228ac314bf7b1deddf2f7298e244509ce89933398f5fd

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
352KB

MD5
9c9e9c6d7668999c30b4ce9337fcd822

SHA1
40852582d44ccdb7ae1f98f21f05b056f7ab1890

SHA256
a42c16271a5d4bcf9dd65eb63e7dc81c6b99c8c3b565737c4573cc35d43bf7d2

SHA512
880f09ac259f85737843009a7a812a57213d6efc21e7554b9737d169afd22b9383436c067f02b833488cf2f7d1eea4cf6faf3f052e25f0e6b05644b96e495f6c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
352KB

MD5
13e5ed820fb7670512431de0c8c6ab66

SHA1
c6360a20992d78486bf6b5bc69b718a6eb6844bf

SHA256
9f791ef59efd99ca4c4840153e47184911513d81dc98d03cb5e8779c9e5498af

SHA512
4b4e79760494db481e28d4523af8342db65d34ef08728c430e775697856d1c0a21a63b5b57904b5eb09a8f5f7dc41ab204bfe5be6323713f31d386e3425a53a0

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
352KB

MD5
7e4efb987057dc6397264d965ed34134

SHA1
72ad994ba66451e0faeb4f299f95e0ffc2f489d8

SHA256
909a76fe833fdca002a9fcf24f4f3116dc57afd08ef5b7d34998485854600dfd

SHA512
83ed7d503cb09ed36780b29af0e9a11ff07a2df29f45a505e72c53847e61c12ffd5d87a655f752c11525cb5ccb757b9f8369ecbeff78594a2472df07d96340ae

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
352KB

MD5
cea74d66db6218ca1e27af3c8745d76e

SHA1
1634296fe4970d64acb3a404f77f19eacc49d6e1

SHA256
8993b0346fe7b14cc30726132315e5131fe1a9ac567d62e479047cb99ca49dff

SHA512
240edc4d0dbda3d644a08ccc7fce7c8b445c3263d5d2ff74df70d0d7497b4043f4fee4b0ec64d64df64932137ffe9b782460a1066dddd4313eca6071ea1ea856

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
352KB

MD5
a384affaf20da42785cf6730dda8abb3

SHA1
0778bc8b355d52a89a92ee97b46a670b7119a36e

SHA256
366650a8f2b21571122336464386bb658c034cc0c0473cf5f8498abf8b045d8d

SHA512
b7e85b8b967cabf743b9c1dec9fcbacf072a594b0216eb797d8044cb44d35d8ed39ad1d5f8dc401f447fb94415995b379437ba20c86d0cc32a206b40d9478c62

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
352KB

MD5
07950d01a18f65a3fe7a7cbbfcdb1f92

SHA1
8aa00e4dca089cf761c1b6489100439c5d5d34a9

SHA256
a91de17dc8026177167db4ea8d0fede2e8e7ac07552264197d121f6466acd3fe

SHA512
1db128db0f2ce74494eee7f38a48a7931ca1261536bdcf7bb7aaed770a5e8182668ab103459bdcfd89eee46981c0186feb8b0ffaad59aedd4f55a79bec822253

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
352KB

MD5
2e2f36ec7b0f1baed0de463a4fd5d4b8

SHA1
c12191a2f7858f8259e605378e87144fb94d62ae

SHA256
8f312025da33cbd7ff3a6bca0bf01ffa6a782040d716be58274c8f9958868084

SHA512
41aa05fb9e26076ec4e012df7cf85073a4e4ffce905c8a73f64aaba1fcc577ba880d1013ec391b2b198f5f1f18e8401070cd968960b090fd8a1bf216ad99b8f1

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
352KB

MD5
e61baaadbca6caf6722a835154911303

SHA1
86790bea29063adfde4516933cfc676baa0345fd

SHA256
7d339e16f5fa8bd2e5fdab487cf5db011bc120559b2eb4eb5f8742fc20fc59dc

SHA512
04e1b95990c66bacbd3a368863ba2060208aade1375907ba9de6041e10c338c48eaf5c787b2d4bb78ac3fe86a02746eca44d56144dda02e2f668f743ddb7fda8

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
352KB

MD5
f584a8e52b704b6a45a78282a30c2f13

SHA1
160eeb36ccf81224dea287bac7638b21f6c9cd3a

SHA256
3ba5514a4b0bc1b7dc2a838d4b172433ff56692608814a8ec0548ba82afa6b4f

SHA512
9d79af6a03dddaccc3aa06443551f7089e06f0a76f5c688af415cc2a9107f1226b6d25fccba5c065954e846569f4c15283c9c4f38a7656ed9bbf21e2a35a2296

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
352KB

MD5
da8af2dabe7fe2384b5ecc422ab29e23

SHA1
7f3d6d5e243591c2ce406045515ce11cf34dc03e

SHA256
f2a81c089c95e3e80c432a3797e8eaa727fd535009b279937f216d73ceb03f85

SHA512
91f5fee101f2416f4e2e920e6b18217b9e2743131fb3c33821e89f461ebb3fb594fabe1fe3ee1e5900aa3b6b680a3fde32e08728f457f6eec695131d9955681a

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
352KB

MD5
0443e8082550f06437a0c3fa41f5a10f

SHA1
40409c9ce3f4c0ee833db1ce764451a100e8848f

SHA256
238b8d1a838bdc17b402a95eefeb10089f3081cbb6fc42adb0b3e5ddd14a04b5

SHA512
1acd05163be99acbe364ee71cd54f28bfe390608583855de54f0f5a955b9be8abf6e0414b0198a8b7de9d58812a29d05946d306ebec96efd074cb9ceec5dec58

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
352KB

MD5
9a4388a31eb1aaab8df43b7f1f1a34e7

SHA1
2871e9bd13f41021b7898e97c73ecc33a1487979

SHA256
7d5715ac77cec6e1bad6ebe1e6e7efb979461b322eb1d6c3e49aec39015e94ce

SHA512
27b076ae69a66dc4a6b024b9df6385459bf9d86a4e186247695ef6176d690e08d3f28f4b43af883908ffcd76429745c972276db250def678c770bacd09b58a8f

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
352KB

MD5
f30aa25a8e5a94ab840fb1a1156ba32b

SHA1
d3ad367334ae95187fe17b42af7bce8b93049e89

SHA256
7f97fe2c5ef61441cec712eab1ad481222ff2a6eb6b13db3e49e36697b849d8d

SHA512
c0808b747a78770e75460e573d344d379bee3f1c61c6bb5384e4d9543d25f3aea368a2d7c7603de505a88ca63cb0d70f6d03ba87d05b12eb1a2edfe43898cf90

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
352KB

MD5
a6a46da2548ad8a20da3f564afe35fcc

SHA1
b849f53ca5ac6a9d12220df3ab3e4eae5bb59a99

SHA256
484f17b114feacefcc996586d4ace09f9fc3621c4bc20d506d91addb09b817cc

SHA512
bc0a3f8d1a29a9527718dfadec52adda075985f486cfef8f237b68fed1504e5b20e8dad95e4b42d993c40664486176008b99c641334745e8490bd9d5ef12edca

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
352KB

MD5
6aa7b252174ea0418d2b17fb707d8440

SHA1
a5f35756981cbb2b4b4858aaf97728964289b29a

SHA256
d9f9f2b72df024ebb1cf261dd0cf864d2e929fba78f6f9b9b48bf8ff6a637bac

SHA512
374d9c9a3bf53308b75297a59a3e17d71029a57608b2e717408f13250496cb3905250b876f0c56da5e016bc2c200c0aa2e203706574b06b33d913e72af683457

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
352KB

MD5
4981737ec9426ffa0fdbd1833d326b7f

SHA1
407fffc5217c0b3ec562d5226159adc3dceec387

SHA256
86abba30ecc078798cc398906204309450d423824f0f721ab2ebed632769c71f

SHA512
4832f407f8eaed0d2890aae462636112b7535a338a76c5fbf85b310f508ca9db236d18c23acdf03080f5bc2cf1134c884d6ee7b3062d3f5300bb56bc53bf35f8

Download Submit
memory/228-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1260-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3756-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4948-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5104-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5128-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5168-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5208-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5248-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5292-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5328-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5368-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5408-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5448-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5488-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5528-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5568-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5620-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5660-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5704-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5744-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5800-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5832-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads