berbew | eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe
Size

52KB
MD5

445ab26a2182df3673087754fea9386f
SHA1

02ee21188c2dbd713c19c30d64eb07990175b758
SHA256

eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772
SHA512

7dedb163d01e40b38a339f5f59c2e9790490dd7c42a5715b6da7562811042558d6eb2030de2072b592b5be12f632b614d17c58f90098f7c86d9267f9f79e2b66
SSDEEP

768:Phd5PzngFxB9NdoZY1G0EyEDmir2q2izepfE/1H5F/sTqaMABvKWe:DtTgjBMYbEDrr2jY7IMAdKZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akpoaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeandma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4504	Pmnbfhal.exe
1984	Pplobcpp.exe
5012	Phcgcqab.exe
2828	Pnmopk32.exe
656	Ppolhcnm.exe
5060	Phfcipoo.exe
2264	Pjdpelnc.exe
2084	Pmblagmf.exe
440	Ppahmb32.exe
2968	Qhhpop32.exe
4320	Qobhkjdi.exe
3596	Qhjmdp32.exe
3356	Qjiipk32.exe
1468	Qacameaj.exe
3400	Ahmjjoig.exe
968	Aogbfi32.exe
1656	Amjbbfgo.exe
4052	Aphnnafb.exe
4448	Adcjop32.exe
1896	Aoioli32.exe
1532	Amlogfel.exe
2132	Adfgdpmi.exe
1688	Akpoaj32.exe
3644	Aokkahlo.exe
1080	Apmhiq32.exe
1232	Aggpfkjj.exe
4660	Aonhghjl.exe
4884	Aaldccip.exe
2424	Adkqoohc.exe
4416	Aopemh32.exe
1776	Amcehdod.exe
4832	Bdmmeo32.exe
1744	Bgkiaj32.exe
2740	Bmeandma.exe
4852	Baannc32.exe
4764	Bdojjo32.exe
3472	Bgnffj32.exe
2668	Boenhgdd.exe
1868	Bacjdbch.exe
3124	Bdagpnbk.exe
3424	Bhmbqm32.exe
3864	Bogkmgba.exe
4740	Bphgeo32.exe
2472	Bhpofl32.exe
5036	Bgbpaipl.exe
2444	Bnlhncgi.exe
3404	Bdfpkm32.exe
3120	Bhblllfo.exe
1660	Bgelgi32.exe
992	Boldhf32.exe
700	Bajqda32.exe
4828	Cpmapodj.exe
2340	Cggimh32.exe
2948	Conanfli.exe
1648	Cammjakm.exe
1724	Cponen32.exe
4164	Chfegk32.exe
1420	Cgifbhid.exe
2012	Ckebcg32.exe
1432	Cncnob32.exe
1824	Caojpaij.exe
3168	Cpbjkn32.exe
2304	Cdmfllhn.exe
536	Cglbhhga.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Aaldccip.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Conanfli.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmnbfhal.exe	eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe
File created	C:\Windows\SysWOW64\Bmeandma.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Ppahmb32.exe	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Dafppp32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Bgbpaipl.exe	Bhpofl32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Akpoaj32.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cogddd32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Pmnbfhal.exe	eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Bacjdbch.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cpfcfmlp.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Aoioli32.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe
File created	C:\Windows\SysWOW64\Ifaohg32.dll	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Amjbbfgo.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Ogakfe32.dll	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2840	4152	WerFault.exe	173

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjdpelnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjceejee.dll"	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Ckebcg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4504	3952	eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe	84
PID 3952 wrote to memory of 4504	3952	eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe	84
PID 3952 wrote to memory of 4504	3952	eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe	84
PID 4504 wrote to memory of 1984	4504	Pmnbfhal.exe	85
PID 4504 wrote to memory of 1984	4504	Pmnbfhal.exe	85
PID 4504 wrote to memory of 1984	4504	Pmnbfhal.exe	85
PID 1984 wrote to memory of 5012	1984	Pplobcpp.exe	86
PID 1984 wrote to memory of 5012	1984	Pplobcpp.exe	86
PID 1984 wrote to memory of 5012	1984	Pplobcpp.exe	86
PID 5012 wrote to memory of 2828	5012	Phcgcqab.exe	87
PID 5012 wrote to memory of 2828	5012	Phcgcqab.exe	87
PID 5012 wrote to memory of 2828	5012	Phcgcqab.exe	87
PID 2828 wrote to memory of 656	2828	Pnmopk32.exe	88
PID 2828 wrote to memory of 656	2828	Pnmopk32.exe	88
PID 2828 wrote to memory of 656	2828	Pnmopk32.exe	88
PID 656 wrote to memory of 5060	656	Ppolhcnm.exe	89
PID 656 wrote to memory of 5060	656	Ppolhcnm.exe	89
PID 656 wrote to memory of 5060	656	Ppolhcnm.exe	89
PID 5060 wrote to memory of 2264	5060	Phfcipoo.exe	90
PID 5060 wrote to memory of 2264	5060	Phfcipoo.exe	90
PID 5060 wrote to memory of 2264	5060	Phfcipoo.exe	90
PID 2264 wrote to memory of 2084	2264	Pjdpelnc.exe	91
PID 2264 wrote to memory of 2084	2264	Pjdpelnc.exe	91
PID 2264 wrote to memory of 2084	2264	Pjdpelnc.exe	91
PID 2084 wrote to memory of 440	2084	Pmblagmf.exe	93
PID 2084 wrote to memory of 440	2084	Pmblagmf.exe	93
PID 2084 wrote to memory of 440	2084	Pmblagmf.exe	93
PID 440 wrote to memory of 2968	440	Ppahmb32.exe	94
PID 440 wrote to memory of 2968	440	Ppahmb32.exe	94
PID 440 wrote to memory of 2968	440	Ppahmb32.exe	94
PID 2968 wrote to memory of 4320	2968	Qhhpop32.exe	95
PID 2968 wrote to memory of 4320	2968	Qhhpop32.exe	95
PID 2968 wrote to memory of 4320	2968	Qhhpop32.exe	95
PID 4320 wrote to memory of 3596	4320	Qobhkjdi.exe	96
PID 4320 wrote to memory of 3596	4320	Qobhkjdi.exe	96
PID 4320 wrote to memory of 3596	4320	Qobhkjdi.exe	96
PID 3596 wrote to memory of 3356	3596	Qhjmdp32.exe	97
PID 3596 wrote to memory of 3356	3596	Qhjmdp32.exe	97
PID 3596 wrote to memory of 3356	3596	Qhjmdp32.exe	97
PID 3356 wrote to memory of 1468	3356	Qjiipk32.exe	98
PID 3356 wrote to memory of 1468	3356	Qjiipk32.exe	98
PID 3356 wrote to memory of 1468	3356	Qjiipk32.exe	98
PID 1468 wrote to memory of 3400	1468	Qacameaj.exe	99
PID 1468 wrote to memory of 3400	1468	Qacameaj.exe	99
PID 1468 wrote to memory of 3400	1468	Qacameaj.exe	99
PID 3400 wrote to memory of 968	3400	Ahmjjoig.exe	101
PID 3400 wrote to memory of 968	3400	Ahmjjoig.exe	101
PID 3400 wrote to memory of 968	3400	Ahmjjoig.exe	101
PID 968 wrote to memory of 1656	968	Aogbfi32.exe	102
PID 968 wrote to memory of 1656	968	Aogbfi32.exe	102
PID 968 wrote to memory of 1656	968	Aogbfi32.exe	102
PID 1656 wrote to memory of 4052	1656	Amjbbfgo.exe	103
PID 1656 wrote to memory of 4052	1656	Amjbbfgo.exe	103
PID 1656 wrote to memory of 4052	1656	Amjbbfgo.exe	103
PID 4052 wrote to memory of 4448	4052	Aphnnafb.exe	104
PID 4052 wrote to memory of 4448	4052	Aphnnafb.exe	104
PID 4052 wrote to memory of 4448	4052	Aphnnafb.exe	104
PID 4448 wrote to memory of 1896	4448	Adcjop32.exe	105
PID 4448 wrote to memory of 1896	4448	Adcjop32.exe	105
PID 4448 wrote to memory of 1896	4448	Adcjop32.exe	105
PID 1896 wrote to memory of 1532	1896	Aoioli32.exe	106
PID 1896 wrote to memory of 1532	1896	Aoioli32.exe	106
PID 1896 wrote to memory of 1532	1896	Aoioli32.exe	106
PID 1532 wrote to memory of 2132	1532	Amlogfel.exe	107

C:\Users\Admin\AppData\Local\Temp\eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe
"C:\Users\Admin\AppData\Local\Temp\eec69844fa72a719686cc72ebc82a5559ca056e71a2e2eab6571bf86e8aba772.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\Pmnbfhal.exe
  C:\Windows\system32\Pmnbfhal.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\Pplobcpp.exe
    C:\Windows\system32\Pplobcpp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\Phcgcqab.exe
      C:\Windows\system32\Phcgcqab.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4492
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        72⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 400
        90⤵
        Program crash
        
        PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4152 -ip 4152
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
52KB

MD5
b912806c77d411cba6a107c3378b2315

SHA1
a675e39dd1f2652a1c43e2d35709bff796582a27

SHA256
b7bfffa2a5b76dcac7b2b298138c7121047287f62953fefc69c78e46bb9507a5

SHA512
3eaae536a212854cbce8abd4554960ab7e97b0689f8c10b3104b88a40a06f7ac6e6cefcb6efef99b45633fbf5410d59635b76199b77c2a3b311409ad8ba014d4

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
52KB

MD5
a1f80065857e019772f10ab168715342

SHA1
899f44689fb81e9dd3f8f207b65556cd133711b9

SHA256
3a1aa3135bcfc4d7cf3f2ab902eda6bc9abdd71acdf6d45df11103ee552b6bb4

SHA512
7da14f76d5cd89f3a1e9f43906446781b899be0cce2434ef9e3e7d80fe23558179de7c44e6f991b0376fd83a7bcde32fd18b1b63971efb6715f4f93379c5ad81

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
52KB

MD5
328ff36f50675255e5393e8c92bc5e72

SHA1
1ab89de0209e2ce375bf073c6ca7fc10591d393f

SHA256
997beba0bb6025c800b1ff7bad0c943120175574a2a033533a837a55a823c425

SHA512
24a995f29f06ee7ee3bb252376eeb82c22f3281cd9f6a9c44b2d28803aa36a91db0aa613f1d413d8df0f32e8006810305a600754945021fabb15f878dc1ead5a

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
52KB

MD5
f44cc906823d48eb87a20c26db293073

SHA1
ac012f0fb92e04bf8e96c50bec2a1fed61a2fa35

SHA256
45717932ff9624d77a538ab1981d928ca08f74d2eb8bc6ea3e48ea53394d7e9a

SHA512
58a7f9379b341e355e1d5ebdd895228ae719645673ded9ab7e0325702360deb5a81773d6e1bf2178591cba6fdca1bca6fb5dc600789c468090e837a3d5b86747

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
52KB

MD5
94c9d8500807a7327e898360ad629bf5

SHA1
11581c84cb4061662d7d7becc1190ea99ff91e47

SHA256
6cb07c0d57aeabdebf830959b2393bdc26972f74ce1e748220ce116c8d689992

SHA512
ee739776929bc6df7a80a83a51c63732bedad31407585f5298843944e6cde8c889ba7f0e78fdfc82eee3650c03aa0efa1a3f39350751ca034318a7c803a96980

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
52KB

MD5
5b9fc1a0a9bd33ef9eb7655668503fe2

SHA1
6ac7ed317f7253b7ef9abdd47196e5e55e8305c7

SHA256
00b5c4dfc4b65989f910575fed689a27d6da213db8180074eb1238601f03bdea

SHA512
fae554b7a48bf281b50b9987cf305ae37e87c615815be4d578a06ede2379fe13535a22dcad73e38e04e6554023dfae96d7a9e303d96f8b64a833c02660319927

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
52KB

MD5
7e1255c9a90d81bc2d71dd7525fda761

SHA1
2cd3d4fd5b930dbe0f26307de62506059ede8ad4

SHA256
62095d57f759d2a1983de6aa15ba12ec82047497f65c79440c863ebf462687e8

SHA512
16a6da633da73819d3b05cd8d5d012df2cbb35a0b7b14896c612a896e9493c9568fbfc1e6fbc87c3ee600c8d6a021c950dfbb0b86d7c65df8144b251e21488f1

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
52KB

MD5
812010b8f11ab5e37e8fc29819a06e31

SHA1
38c911c201ea5ac091fc294542f882da3a4e06c6

SHA256
4a086bfdd01d20922cda75f5c9c064faa886af18627ebbfb5b8e6a30f121f80c

SHA512
11e9f664c9313bb7c203b8090e9f86dc0cf780722c68a1613e4088957f4ace4d62ce3edefe4f36a10c85145d2b2d559eaa3b2927dd2c058228f6084eb8cf47c6

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
52KB

MD5
d43e55180274c4b3190925297c790991

SHA1
fd387a191bd8d063048f11e3428edf99a3620628

SHA256
18a904281adedf5382439fdc24654e80ade13a498338ca06e0ad68471375b43d

SHA512
32a2f281ae300d9edfdde5290328ee6c137c9d211cd7a7dfa76d4c19e93d27b65d627ff42a3d4983c48ad423a3ff991119d6ddb1753ea93085f10c9b5c90093f

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
52KB

MD5
76f1ecb2219b80003896e343933937ab

SHA1
ce4bccf0c0b5b8eaeaf0ef5949a8646b034f353f

SHA256
8fbb68edf4745c8690f62b5265ec33dde73deb1b0a5a6fe46e716964700f1ef2

SHA512
574129e947791bc156cb7efa4b8a4c32d534c3a9e6efee090aec95362e374e78cee0c1596765c62bb4e42128adbe14cddb8500ef001d50d671957948b9bb04bb

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
52KB

MD5
149305f87ff22428c421551dccd481ab

SHA1
f85bfcf72fd02cb348c4854ba1b08feb0bc592ae

SHA256
50dd1db9651be9fa0c154dd8b714bacb35dd1815ef8e0fb856f1f9c086a414a4

SHA512
a5e4b6e5bd6413c68518e1da05d55ed15676d01bd1a82647a9fa4244fcad220e50ef5772f62faed66b3635d90eed5a73e1e82daa226afb69a2978a6c8b8f1521

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
52KB

MD5
a5830804436dfd35de1ee28557e30403

SHA1
bc2742e2e9c4aba7224915dc8194dc3d0a8287d9

SHA256
c065ec4062ee9bb03d2cc9b4f48e30a70d96314165b0b05b5f18d2674109a774

SHA512
613e9e3e93b82f5d2bdbfbf942c9e0e9e99b43600d0fdfef78b5a63ed8b4500bd6e14363af923b76f932836b00518a8c2d690f398de7e93c008177c820d09719

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
52KB

MD5
756258d8cb2ae1df991709e30174bb02

SHA1
4595592ba9371275ed555f62fb6eaf907e5bc62c

SHA256
fa4c1b914db20b8aeed3f9e0b395e583193a3dc2d603f038cd6dd5b2c383ea71

SHA512
a59f419dc5e32ef279dbb7dcd8f9e73387ab5383350130ffa63a25eb0859ec41cf1844526b426fa685f1967ef5e180d5b39424d8d0a2da06a5e0c6e0e64dc1f7

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
52KB

MD5
3d370ae76aadf93b85a72fd160417f62

SHA1
f4357f7b2a6222e091562afeab9c789494689ce1

SHA256
e044b52d35668824cd4997f29aae10ed0b37c85cc9efec732813c8f27e32ff5d

SHA512
fe132eaa0d9ca8fdc672a1726226837a45c044ed8e8bc14f1e2474513b64636448f0c05f47ba48732d7160c2e4f4981b3e00da4c8f9dab7e319793a666f5bb0d

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
52KB

MD5
cedf16aec2d855e0cf9017a3c7fff3de

SHA1
f86776d62635efd58c1ebe89cc200471961b15a3

SHA256
d3fdf380b3824ff87db6daabe8d3453aada594a30dc7d4f0aa6bff8b56c34587

SHA512
31d192d32b8a2f7f92997410e54b487276bfcc989f1a2d2c56cadf9e02457c5561a8a4d1ff7914f967b402594dd9be93a86481c8055cea4b8cb89369f7dd71bf

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
52KB

MD5
3f03d7fe44a9cfd92827042fc18aa26d

SHA1
7ca72dcbc5a7e23ffe5268e7c7954caa70dbcb60

SHA256
7da75de2dbb12d288455b885a81fb864118c49f041ad2ecab5860b3967d47501

SHA512
a770e015c41e88ccdf7f7b53729f2cb36cb4fe93fbd37ed92c53b1ee17b45d27075ede4df8f2db79b244e5a180c8ee95ea6c180029d07c767fd1ef0872e8f1f7

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
52KB

MD5
b00da4ad47eb330b919c36053976c74e

SHA1
ee8bf8afc7c2a08a902e49859d2c16bca6a2cf1b

SHA256
84613b476fa6309c64baa2cefa00b56bf139f3857610853e664e83ccf84851c8

SHA512
b6fa64317df2619311a6f8ca54b3cdba4ccfc50c81e074f0ff55029ca49904d8c3afd329ba82f5af1b0ca34d7c7ba20ac3de4ed7b0683337863d803603f9febf

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
52KB

MD5
97ee3817736227712c03f3dbeec91402

SHA1
223410b8f0ea4b34a13709d8a4db09784b0dd045

SHA256
f4f9738b46191ddfce926c964b88361db1c76957b2e42cb58c7fedb85ffc6746

SHA512
011440d735f08bd401aff64be1cbcd113b8842e1eba259146876e352296687e5684ea2fce111e0dfc76898418124c8fd88c224477927d8e1327b9c295319c08c

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
52KB

MD5
4f824191066e4a6f88aafeab94d0df36

SHA1
ee06017d295fdb14598b7f4faf47827e6f019d88

SHA256
7197209c7a3335bcfe32169204b3a9ea62aa3b8301506d19a721e48de85e2041

SHA512
f0df18119a19e10fd9bcea627f3b776a4e9b5b781957dd359e5a418dcbb22c95940ff7e88a1399c6a2a9ade44396573aeca49c3c29b075a2d20b30e6fead344b

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
52KB

MD5
e13bc0003d17f306c3f524c20d010473

SHA1
f0684cf2cd7e881a973542f4ea7d39ca85ede2ca

SHA256
393596815be739e015e9cb73b0009ed740d08482601d78aa7c312a55309dc88e

SHA512
5ff8e785d69c2f6e2b759867b7bdcd3ea2b5a9b8764a1e79eec9d0f7320d003a6655a9cdc279dd9644a21bb9d73ab4726b8f8d980cf7ee2b47d0d6d053144160

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
52KB

MD5
0d25e6db9eaefc00c739caac8ecfbd06

SHA1
50979a8c02ac99880c5b27f9e989f536e68b6d7f

SHA256
d90a7c3746aab82a3a4c894b7cd2c4dea9de462b8d2b01a0268dfd4531dc14e9

SHA512
51112a32c807cbc95575729ebb57b2bf2a809a72db83539bc0902c7ea07afdbf4bf34c643adf12143bdf53e37b547ff766827c5b415eafa1cf455fea21f07d66

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
52KB

MD5
c2149cd25a63c3cc979050a6fecaba0c

SHA1
7aa7fdcee269afa886bee09014c759fd1900c512

SHA256
6941fecd071569da3ea89fcbdedf0fab12cc4fa13eaea20162b96af30184f50f

SHA512
8122119351c4536b1ea7daba4abea97c0725a4f00bbb61708563ab79b9f612ad7adeb5b77c9e3b26735faf61f3392cac237081f2c17ef7a4c68a2569f55c7c64

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
52KB

MD5
df8e2f3f70a1a9639ad1b4b2b55f5539

SHA1
ff17b6487be6ec8f9590ab4bc1f1762ac26eba03

SHA256
73e70f4b5feecd2ac3067bdd37218a24983fe469576ed402f319c192a647e593

SHA512
b69430f8c2443db878b56286fe08be0e2f044c69069216c317e3c36d9202600686ae845f659e05c2a1c705321a5c14f44ce740a8bacfeeeb84ec50f80da32e78

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
52KB

MD5
ff9d17de70440b795e58ba1370b6c243

SHA1
a3a2a76b9554392127bdd0f6753c86f327bf4295

SHA256
f073e67283c57540780b2d43c70dfcdbee7a2e9a68392ccf2766938490a94e24

SHA512
9c57862d886c45b836e45d0d80452702e7f02a86ca42be8cc800d3766b3cdd7499d966beb4b041bbe6f8278af360d2beca51d4f3e62598c125a6613300ba4499

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
52KB

MD5
05dcb405049e152ad4310ae2a872c796

SHA1
f21261655a0e211b0f99dd13cfbc63a534e75eac

SHA256
5118530515fe8941d5ff244d25fbb1035b0753cdbaf4a0e8c3cd3888d0c3c758

SHA512
1b9d163b718be88697f0cff01604de86b623002be176cf528c4d5f1b68d22a0c43bd515b3cab3616474bd68bae0ef1b2d592e497cf7114da896018729b7acea4

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
52KB

MD5
adef3159f4f4144c6c3fe7c1b889109d

SHA1
785c8f3fa57cae5534a749bd7e6ba8282c397e55

SHA256
64b0f246bd8d2e7e74a153add13ebc8c833b75e14b27f31047730f92f480c5c4

SHA512
130cd6948b86e4c1d1793912a73c00322bdf90cb90aee3dde25c06281c614ccdd18db2ca4ebc42be19257bbabca93da1498a113d3d27c94552dba5818f3395cd

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
52KB

MD5
50a49f64e030f004bf4c3925cccdf5c7

SHA1
4732af3856628ccb8c73d630e9f38baa281e34c8

SHA256
bb897f3088807a7185321f766d387ecdb4afcfe3787abdacb872b7c9a19f7de7

SHA512
c71d78a2a0874f721bbed4ceb5f0d2ecdc106d2a080865b23797b40f2a02685d71d81f5d188571c01167c06d1b829c5c2ed094149e5c5410c8718694126eccd8

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
52KB

MD5
1c7b3b1ebafe2aaf42b84293ff1f8351

SHA1
ca2459036423e3854c96d16a5795fd6f18cd39b9

SHA256
d3be92e5dbdbf77f34e0e14c8a01fcc10b2aaab9b253041f4c60addea31a9161

SHA512
99b4aa351f3e3499c29c64e960681deeb1d93a44cdad70c823b1955ddbad0fc9f3aa906ef7906b8157dd415f7f88acbd0904c63b88c84f17661e5c49974c5688

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
52KB

MD5
43902864b0bfe23ecb97edf9748b3192

SHA1
5bb7a70af2805e84fdba6962804b7bd4474ac2a4

SHA256
1ebea262e07920ef8de575aaa73317c1ca35718d8d8adb9d67e8caa22f814d95

SHA512
908835b8137a6ee474b52761ebe2d306f6980fc93ef822f7561112c019476830f6f442ecdd8c67bd1d8609a3656b0aee58aa7a34971b8a83c489336c9a449b95

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
52KB

MD5
7dd18e732dd7dda220741687f02ba20e

SHA1
ca9f39273a3aeb0a55fba3b863889c91aa3bfff2

SHA256
961094427c617805544722d33c284c74bc14a1bed2b884ce3209c188e6a855a9

SHA512
8239371a9f859ab81fe355f40a63f99416ef7c53902added9d03fd0b4d0dfa0c89714e4c456e421b92808b0480c7c4f5366ddf5b513a549684979248a8752c15

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
52KB

MD5
d1323448084853c0f9bcea528ee4caa8

SHA1
a39479ecf769592798bb3ccb8de912e4903d029b

SHA256
ccd899f8ffc6d7c134d4ea91c778e9097b703a91fd24837f9b8676398cf9d797

SHA512
15893efa14629e767eda455b787d30edcdabdd1fe37fbdc20f73bb455c528a2715f2f6305f7b937ee2d8e1d028957a1ec2d18b9aa16c5c07bfe314338d6a96c2

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
52KB

MD5
4eb86a2ba0089de9bd8d0e84dc668683

SHA1
3223253be666c1a084ebf5205552fb4321b06a4b

SHA256
25def69fb82c6300d116428974ec018317860775088581dbaf956e41613083e4

SHA512
e0995ef9d9745ed81b491a115d3745bacf08c1fb4079af7b510cb147667d2a6d601e05114f1e910f3fb594f34103e08552b5862e49430c5da9d265873e9aec0a

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
52KB

MD5
cf83ee1db628eff080ca0d44a19621c1

SHA1
f8b16b8f6237e5f173329716d832654c8f03e6f9

SHA256
f860d55357bb360bf1d4464c3c622146c727c289519f92238d616a5afed38f94

SHA512
f5e20fc6f97f19d7840031ed72c98dc9d350bb242cd0fba40a1a1a66a7e37e94617b82a76a694997077ce14fc1990a432f85a3565093978d86c7e6df9ec8201d

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
52KB

MD5
37ac6700ac291046f761284eb60f5357

SHA1
4c180432ed782fadaa2f288f64d76339a531052b

SHA256
e8032d63033bb3a62977dc3748534d60c6648bb5c713cab02d49f69add2f05f8

SHA512
04966c2a7bd18ba105995cdca763e83a7046c5289bc749e3a48d81ce3c83c0c51801ed32329b24d15f7391381b4e2150349aa35c352faf7186657465ec5ee232

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
52KB

MD5
d89c787cca58c0963290605e3882607f

SHA1
223008fa09f708b02ef65a78da8a53dd91777f23

SHA256
9595109807f45b4755ab152467d4a823ef6862d12da91c52943d9768dc4bf496

SHA512
2ae3664440a591511121f05d84d93dae59c0c39b5c090fb1b496b77528f51654745ba69e23d681a5f54e88c005882f1d33b7a600337f46d1eef76c2d24b8edf7

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
52KB

MD5
53285d683921d2899b00d70f517b7447

SHA1
f85882c1e630ffe0f7682ca2ad38972b6207c679

SHA256
63a4d4fa3634ec57c59fcd69f5854e10b2c38d9a1dde4be8e6ec3515b9dcde6a

SHA512
be664cf19f2191bd9ef03f46fc49a65a990c684896e1c20b4da47a16c6033c4ff191c0b23d840017e7214e11263a73739e1f7ccc1854ee9e9c3caa034f9dba65

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
52KB

MD5
80fd605a1c925240fd993a6c307544db

SHA1
6a0f91a4f063da3f88c37cdc5e26a98c10d31421

SHA256
cd7ebfd13e748666c3d58f2a4ea027027ff513ba6b7f2e37482c22db0491387f

SHA512
c7303f378b35391ceb31f67f754600f70c9a86660954e745c28e7de5ebc6c41d6c180cb8fd4d98ee1b18e9704541bdb8899a3ef9bbf9090182ee6801d6ce90c7

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
52KB

MD5
d2f3f69118251f656801172e3de84eca

SHA1
b9aa0491e00b44068d7d05d13c1b7c9d6c8f169b

SHA256
520a4c142a7ac89b9144f1fe3b22ec3398f2068d9a28ee496b1e229b368d3322

SHA512
6beeaab21f4c2e16df98717bf16c233659898217f60e5f19fec55be0f880723caf1d8603cedd251d2e508f4a1c45959ce5f32051bbd64e07d2fd9f6f758984cb

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
52KB

MD5
e7ce24e09bc08e73b9e922afd2b08daf

SHA1
92733a190f3650d5c5b5f88ec0d8f8aca70f352c

SHA256
203f36e66b82ff5845f9d0b880507786ca3ce70737d06c3e8b492fb5e8021285

SHA512
97261e3355bd8887696f0a322d4c26ee599ad03251ba4943255889d572c35bacd123d78a3a9c2c4b1bcb79aa89bed6620f5d95ecf76ccc84f22e31b35b79bfaf

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
52KB

MD5
9145847d942cf11d8b038c187d2a30eb

SHA1
99b4c9b600eae14564d64a83500579d516ccd0c6

SHA256
cf0a890d04646919577ab5512da8ac9cc21958a4786cd930d81271be65a82507

SHA512
a55d6dca29d8b97377b98f5a44f90ce9c90da6e6086cfbbff4a0e8fe6bf227e27be1269128b2ac0fe80c7b47985f9651171bc4eddefd35fb7de04a9544b91206

Download Submit
memory/440-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/700-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3404-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3864-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3864-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads