berbew | 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5af

Analysis

max time kernel
101s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe
Size

72KB
MD5

8cc79c63c6b2e78a32f54a6188d12180
SHA1

6e2cbf3e02cbdba937af343731edca46f3815ace
SHA256

2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5af
SHA512

5baa70a7a02e23ff3bd475f9b524eedfe9d33f5066761e0ee35214dad21146ea6594bd3f10268c8bad3015f5e745bd93f96e95c00027459728d7a3cb7e81a020
SSDEEP

1536:uOlhr4o4GgZJz6nsK3cilPPgUN3QivEtA:Bl9N4GkV5yNPPgU5QJA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4568	Pnkbkk32.exe
3092	Pplobcpp.exe
3604	Phcgcqab.exe
2828	Pnmopk32.exe
656	Ppolhcnm.exe
5060	Phfcipoo.exe
4868	Pfiddm32.exe
2084	Pmblagmf.exe
4852	Pdmdnadc.exe
4380	Qfkqjmdg.exe
4320	Qpcecb32.exe
3596	Qdoacabq.exe
3640	Qacameaj.exe
3016	Ahmjjoig.exe
3128	Akkffkhk.exe
968	Amjbbfgo.exe
1736	Aaenbd32.exe
2464	Aphnnafb.exe
3972	Ahofoogd.exe
2720	Afbgkl32.exe
2144	Aoioli32.exe
1636	Amlogfel.exe
2712	Aagkhd32.exe
4776	Apjkcadp.exe
1932	Adfgdpmi.exe
2864	Ahaceo32.exe
3744	Agdcpkll.exe
4584	Aokkahlo.exe
3304	Amnlme32.exe
4200	Aajhndkb.exe
2796	Apmhiq32.exe
2340	Adhdjpjf.exe
1048	Ahdpjn32.exe
3756	Aggpfkjj.exe
4832	Akblfj32.exe
404	Aonhghjl.exe
3960	Amqhbe32.exe
4444	Aaldccip.exe
3908	Adkqoohc.exe
4744	Ahfmpnql.exe
1212	Agimkk32.exe
2588	Akdilipp.exe
1468	Aopemh32.exe
3472	Amcehdod.exe
5088	Aaoaic32.exe
2576	Bdmmeo32.exe
3844	Bhhiemoj.exe
2648	Bgkiaj32.exe
3456	Bkgeainn.exe
1608	Bobabg32.exe
3008	Bmeandma.exe
1688	Baannc32.exe
2488	Bpdnjple.exe
4344	Bhkfkmmg.exe
3700	Bgnffj32.exe
4520	Bkibgh32.exe
4412	Boenhgdd.exe
2752	Bmhocd32.exe
920	Bacjdbch.exe
952	Bpfkpp32.exe
3052	Bdagpnbk.exe
4912	Bgpcliao.exe
628	Bklomh32.exe
2416	Bogkmgba.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Aopemh32.exe
File opened for modification	C:\Windows\SysWOW64\Aaoaic32.exe	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Aonhghjl.exe	Akblfj32.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Amcehdod.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Gikgni32.dll	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Lpmkebjc.dll	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Boldhf32.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Chkobkod.exe	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Dbfpagon.dll	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Agdcpkll.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Bgbpaipl.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Adhdjpjf.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Ahfmpnql.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Bgnffj32.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Qpcecb32.exe	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Aggpfkjj.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qpcecb32.exe
File opened for modification	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5592	5480	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbidcgp.dll"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agimkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cponen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll"	Bgnffj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4568	3176	2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe	84
PID 3176 wrote to memory of 4568	3176	2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe	84
PID 3176 wrote to memory of 4568	3176	2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe	84
PID 4568 wrote to memory of 3092	4568	Pnkbkk32.exe	85
PID 4568 wrote to memory of 3092	4568	Pnkbkk32.exe	85
PID 4568 wrote to memory of 3092	4568	Pnkbkk32.exe	85
PID 3092 wrote to memory of 3604	3092	Pplobcpp.exe	86
PID 3092 wrote to memory of 3604	3092	Pplobcpp.exe	86
PID 3092 wrote to memory of 3604	3092	Pplobcpp.exe	86
PID 3604 wrote to memory of 2828	3604	Phcgcqab.exe	87
PID 3604 wrote to memory of 2828	3604	Phcgcqab.exe	87
PID 3604 wrote to memory of 2828	3604	Phcgcqab.exe	87
PID 2828 wrote to memory of 656	2828	Pnmopk32.exe	88
PID 2828 wrote to memory of 656	2828	Pnmopk32.exe	88
PID 2828 wrote to memory of 656	2828	Pnmopk32.exe	88
PID 656 wrote to memory of 5060	656	Ppolhcnm.exe	89
PID 656 wrote to memory of 5060	656	Ppolhcnm.exe	89
PID 656 wrote to memory of 5060	656	Ppolhcnm.exe	89
PID 5060 wrote to memory of 4868	5060	Phfcipoo.exe	90
PID 5060 wrote to memory of 4868	5060	Phfcipoo.exe	90
PID 5060 wrote to memory of 4868	5060	Phfcipoo.exe	90
PID 4868 wrote to memory of 2084	4868	Pfiddm32.exe	91
PID 4868 wrote to memory of 2084	4868	Pfiddm32.exe	91
PID 4868 wrote to memory of 2084	4868	Pfiddm32.exe	91
PID 2084 wrote to memory of 4852	2084	Pmblagmf.exe	92
PID 2084 wrote to memory of 4852	2084	Pmblagmf.exe	92
PID 2084 wrote to memory of 4852	2084	Pmblagmf.exe	92
PID 4852 wrote to memory of 4380	4852	Pdmdnadc.exe	93
PID 4852 wrote to memory of 4380	4852	Pdmdnadc.exe	93
PID 4852 wrote to memory of 4380	4852	Pdmdnadc.exe	93
PID 4380 wrote to memory of 4320	4380	Qfkqjmdg.exe	95
PID 4380 wrote to memory of 4320	4380	Qfkqjmdg.exe	95
PID 4380 wrote to memory of 4320	4380	Qfkqjmdg.exe	95
PID 4320 wrote to memory of 3596	4320	Qpcecb32.exe	96
PID 4320 wrote to memory of 3596	4320	Qpcecb32.exe	96
PID 4320 wrote to memory of 3596	4320	Qpcecb32.exe	96
PID 3596 wrote to memory of 3640	3596	Qdoacabq.exe	97
PID 3596 wrote to memory of 3640	3596	Qdoacabq.exe	97
PID 3596 wrote to memory of 3640	3596	Qdoacabq.exe	97
PID 3640 wrote to memory of 3016	3640	Qacameaj.exe	98
PID 3640 wrote to memory of 3016	3640	Qacameaj.exe	98
PID 3640 wrote to memory of 3016	3640	Qacameaj.exe	98
PID 3016 wrote to memory of 3128	3016	Ahmjjoig.exe	99
PID 3016 wrote to memory of 3128	3016	Ahmjjoig.exe	99
PID 3016 wrote to memory of 3128	3016	Ahmjjoig.exe	99
PID 3128 wrote to memory of 968	3128	Akkffkhk.exe	101
PID 3128 wrote to memory of 968	3128	Akkffkhk.exe	101
PID 3128 wrote to memory of 968	3128	Akkffkhk.exe	101
PID 968 wrote to memory of 1736	968	Amjbbfgo.exe	102
PID 968 wrote to memory of 1736	968	Amjbbfgo.exe	102
PID 968 wrote to memory of 1736	968	Amjbbfgo.exe	102
PID 1736 wrote to memory of 2464	1736	Aaenbd32.exe	103
PID 1736 wrote to memory of 2464	1736	Aaenbd32.exe	103
PID 1736 wrote to memory of 2464	1736	Aaenbd32.exe	103
PID 2464 wrote to memory of 3972	2464	Aphnnafb.exe	104
PID 2464 wrote to memory of 3972	2464	Aphnnafb.exe	104
PID 2464 wrote to memory of 3972	2464	Aphnnafb.exe	104
PID 3972 wrote to memory of 2720	3972	Ahofoogd.exe	105
PID 3972 wrote to memory of 2720	3972	Ahofoogd.exe	105
PID 3972 wrote to memory of 2720	3972	Ahofoogd.exe	105
PID 2720 wrote to memory of 2144	2720	Afbgkl32.exe	106
PID 2720 wrote to memory of 2144	2720	Afbgkl32.exe	106
PID 2720 wrote to memory of 2144	2720	Afbgkl32.exe	106
PID 2144 wrote to memory of 1636	2144	Aoioli32.exe	107

C:\Users\Admin\AppData\Local\Temp\2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe
"C:\Users\Admin\AppData\Local\Temp\2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\Pnkbkk32.exe
  C:\Windows\system32\Pnkbkk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Pplobcpp.exe
    C:\Windows\system32\Pplobcpp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\SysWOW64\Phcgcqab.exe
      C:\Windows\system32\Phcgcqab.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        39⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        47⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        59⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4084
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        85⤵
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        87⤵
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        88⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1968
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        92⤵
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 400
        109⤵
        Program crash
        
        PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5480 -ip 5480
1⤵
PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
72KB

MD5
d565597017fa10ca554125f456c3698e

SHA1
5b5d245d731718eb7f2d31dd001db5693645f08b

SHA256
24c8607168db3f43b2c8d73eeabb9c32ff093e962049751e9a03bb4327235e4d

SHA512
d159f00c66692c98bcb1d02fbbab81447806b31c398010161017e82f9c4cf2a300f0a696952ef77cc407bf2fde4ac3b44c50642945412b5c43690530a983af28

Download Submit
C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
72KB

MD5
938306c2092084887fdab66ec86f6ec1

SHA1
986de6c5ab0eb9d9a5332ea8cd9fc673794de23b

SHA256
4b05a7dd23f5f5b3ff314d56d5331a55944399a3120c622a59c1ffe6786cc9d0

SHA512
c28251bf7db2d3baddf91327441b0b41bec3a06189f7d57a6034ccbaf2dc36fb00d16cbaddeb34f6363291c9ca8d44559df32b28b66c6db2bc71c015048a2d84

Download Submit
C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
72KB

MD5
2527c5e1ca5e286ee7ef5238bc0bdbe9

SHA1
af09eb12a70c4169e5bb3f8eb5b8bc1c542d145f

SHA256
fa1342dfb937697fe30f30f44eda8a07ddf44012ab102e2b5162d4792c6ada37

SHA512
76b229b2917ca81198c60f5809ec89adea7e9859da31b28f6833595d299ba121dc1b020dd8b4c6de61e29d386769f45643dbcc27e80c64fe70edba93b165d9a1

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
72KB

MD5
cf2b119b290aa7bb6d2edbe60a82764c

SHA1
959e7a3c476b0bbbf5ff9e5bc5bcdd9f03d85dd2

SHA256
7c440418aec77fea203bcf6c05c227a5b0c0a2ad0fff916359e6c8544b985647

SHA512
7d0f60d9b2b96b938a2f248c464e3825cbcd6f751e8c327659b9242ad4fc9199a439ba6400ef8f7aae4c7593a71046e04e184fb37d2bfc27a984417a616cff59

Download Submit
C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
72KB

MD5
5ba7fa8f99170d97602d8200e58a0c7a

SHA1
df4c46b659b8d89f5a1337ad54bb1a10ca558448

SHA256
06d4f9ce99b749f8d3590ce15e4b9e9bdbea702c276b869f18b495c483d0c8e1

SHA512
2c76cbd3e11db7427e645ad2c3200cdca72bbf85149bb31ce2762088fee84b589fa6ee09cc601e4e965eac09f7d3959eadb4e13b6b8af4618ef9e9474bcfcc80

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
72KB

MD5
26a2a8a4d72f7b4acfa7a4169bd6e02f

SHA1
4f2a57479b0fcc32d85d48088f616c72537e944d

SHA256
88d5b05e5fcf6ce67329d18ae10735ab6200e9e3c5a39e0857635e4775fbb1a1

SHA512
c396f319654a445443791e0209e665f8b073ff1c314e96a37d02a3d3b92c6297e5363d01096ce81da1c50a924b2e0dea492eb07b8c3622945f39d3d789a4bb75

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
72KB

MD5
8943af89cbf40e566649e587e11b8a93

SHA1
a074445379426208af9878979c228f3ef45375ce

SHA256
98792559ad05fe5274e785ffda5240a1ad26a09b5dac5c912007125a5507e790

SHA512
dd5ffd567eb8df6432d281efb2d08f7ac60f34737e8e1202aa67f7127ee3777fbf405213432280e4a447afb589c5eaaff09baf692dd3c9eedcded18bcc01f560

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
72KB

MD5
4274616a826f6e5cd61cde6306a1b238

SHA1
f1cb5e3735d082c4073ac08957c65134df7f7eee

SHA256
bcde1fc7a464ce949bd7b14dcb9f36d86700b01c018f2752e11bdfb872b7c61a

SHA512
53ad55b35f748713383a3d9496e4dee4e0f5496a03577da8ea21b0250f6d4eef13b75d70f8ef77f46ee438e03d266a64219ca4ef190aacc9130cbfb876b9c946

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
72KB

MD5
b06c7d89831f0f95a283d22fc77a9e5a

SHA1
cc1afb6a642a1c1eb7c187de8790ac0677cb5303

SHA256
e1ec7d40519b83bcdae2b13f6b296ac9618e72d6fd686a8e774d63d6b25234bb

SHA512
28a5149057133554811d473cde7a6078e048b6a56b66a3749244c1e857afea43715cd62ac19b22c2b687efcb645406c833a5f223082a6b5edf2ddbf640b65dd6

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
72KB

MD5
03ede2aaa96b6abba58472c4bfb9fed9

SHA1
7052b479a902371c3fa905a207c518d337eb72b8

SHA256
ecacd24b4563cb06de874a7cadad9d6dfbd1117a3c83c2863946f092ccd39dc9

SHA512
d130610fec7af366d1f4e0fd4dc08bcc72e5f955291115b543eb93186b45e85d67fa8b7dc00a3af5c99326f4ba6f2295fbdafb3551169ba7e2f84db819992299

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
72KB

MD5
49706a85f04a0d49b6e96b42b48d7b79

SHA1
4af4d5b521d847c05d80ce5e0eee0b92523dc7a7

SHA256
a4739e70b6fee615900cfda520b8d947bc124ff3df8d83e1e230da89d58b838e

SHA512
9c289f6f3617847c818484842cae1f0d0eebadbaa4ef2c2e0c41f4ee5248ad012d1f6fb51f62b471852d8fc178e193b90f2444be237ef31466b65f64f7c71398

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
72KB

MD5
d95dab7566876b34b84963856d19f68b

SHA1
32c12ac11dad5ff3c6ac55ab36b71d608c35a0a8

SHA256
225b61edb5f7c3e7a66b7e37a2c13253518ef7daacbf34de208abd53ac12d975

SHA512
af73c1b7aae45964845e7fe9e4a768a7876ca1784335de64d3ca9b1c0934ae562bbfb91e096c901479ef6a894aeb88479f32d71b539641a3c9ca7836e94def5d

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
72KB

MD5
c0cf30a2fc683dc492b1bc211444a328

SHA1
ae67ace766b47a6029848547bf632299030161fa

SHA256
42a204a18abf0651938b4b52b2de46b3984855079f555b1207be5a7b6fc549e5

SHA512
5788bd3c9843618d8539a536a496810dadb078d6e9b41b4bfaa05937605c51c51cc2c19b0099d07e1fefc6ea5474e0e5b256c858b76dcff87887ed0667fc6f2c

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
72KB

MD5
39f995a2af88bf3a2e1feb5bf738a081

SHA1
1d28974ce9b72ca850c1cf8e2480444d170faed9

SHA256
dd9eea26be87cb3c6c9a894a020e9bfca255ba287f2d42753d7d9957c0e7623c

SHA512
959a65369b03f3b6403e09e665b97544577c7f57407be157e4aafc7920ccc5ec0c647a56e89b011e994a3542ebf4a64f6cde09491e0a1c2c615ecefecb43a683

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
72KB

MD5
fb90b64098d706ffc88bd65d5577dc1b

SHA1
d88cd85589623c3fd21eb4a67f116a32b6910b51

SHA256
f17342b34e679985cd125ff41920fdce9d99a30f6ae454d4c5f66e8ef25f1a77

SHA512
0fe5f3696f2040cac88bb330a9daad59f2d0624c85b35089aa13c0210f3edf9077ce6d41321bb4d0b73f65a32f6b6b4155e24ed9daf5cff3a3177059b09c15f8

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
72KB

MD5
fa9dcf281f7b0baad18d679bae99648f

SHA1
6b0170d32f23c79198f19fb03faf3f710ce6433a

SHA256
e23012404e90924258cd13358db069c99a641ee820cfa1f65ab83e674da436aa

SHA512
412442aaec58653fee97dc6f78924101608eb1663088071af2f561e32c51099afe7538c1a9515030ddeed19ad2e890347ba2ce49fce09a82e4259a9648aa5ea4

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
72KB

MD5
dba78ed36ad9b8d5ad6b0bdef8de4905

SHA1
688bde7ffa4c87b8f7c23a02ce73461cb6393a7f

SHA256
d5ac87a2caf34e64021a1b5cca30892b767185ce468b4049b0f3aa9967b216d8

SHA512
3e4a1badd362a7837f1b1faccfa4e22c58aa64a4fa30d662e42409991fa66ca78ffcd4aed7776db5d26d759b31d0e1148e0df362a952ad4a3d09f268c5466afd

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
72KB

MD5
f6bcd9b207a6a5d6594d068fbb82f818

SHA1
f512c7c3d6a95bc22bd6eb3bd57342435af0c4b5

SHA256
54b15abaffe544ae4fe4ce5af6712c2174c2e37f1713c596c1705278c266a90c

SHA512
50ea252562bb661921b95f81924e15a9f1385470d68bc205b2556af58f94d2eef4af4890e4cd5c0188cdd526add513210cb6e64a38c7b8de5dac29599e53ceb2

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
72KB

MD5
0969a132176fc105f19dda5163b23dc7

SHA1
d7d008add579f5828015c174b487a5ebc89c7ed3

SHA256
eafc5eee6f6839e00003ad8d1db2b2588bdfe0e5c08306bf15b47e6f5eecf7b6

SHA512
8c546193e7b9f8abb6fce16bf4b15c24317f64ad3b13778f3ec58b8ef06ca7f67131d5f61466b7964e9b945fd582ba80f14d80c65385333e313802df67546f4a

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
72KB

MD5
5d97c11c03290a6672168d3184a97e9d

SHA1
e0fb6842db8b612a3107b6b83e4ebd43b7705197

SHA256
1b06e9c799c2dd8ea52483b0703e4332aea72309e0725c1713ddcc0ddf7722fe

SHA512
fe5546506ff454b454eded4da77176ae1f7855dec5d8a1bf5dab5875f5ae61dafcb1b0d3c10c709721c080abefc1894f6e84110c5eda7e1148d6ba7dc8b77cd8

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
72KB

MD5
ba4e075ebad87fb6f439569436ae238c

SHA1
04193b0d8216f2f2947468cca0b324ef16fd0210

SHA256
8e4eba47054b9f4a1d3ee88cd640cb481e67410e8d330f2a2df907dbb3f54015

SHA512
968751d55f3837e3bc286cb71c0a2ef8ba59f6d3f6afd7b8ce14d98a8fb129584b7e15fac7a71ea1c8be7ab337f80cc55c1077024f692c55394e461fadec1f4e

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
72KB

MD5
ca8ee9dda2949971b48be043dd18278e

SHA1
70f4a7e8d4ac12a9b9bbe74185231452dd818101

SHA256
b72398eaec1e0fa193ed88dc98c20e3c5960a356acece2b02eeb4a822e015f92

SHA512
a3120eb85180ac23ed03050612fd3b6145143d551365e28a344388fdc23402b4b95b69042420cd5c160f3f06473546a3642f62e480ad0be77af27bd11f0df7ff

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
72KB

MD5
b8c02e90fe44e1f3ac3d62dd488d60d4

SHA1
527866d801d0239b935e2738a46f17ce41b7a57b

SHA256
f9d2edc5098be7a4f4cfdcf37663f30f1c5ed2fa249a481a08b1a5c70ddfab3d

SHA512
59b04735d73a2602be81e5a81ba58dbd6ce5a605449217dc2951ce3908d14577967a39ab288c4a25955d9f58c7b74af11a9b87dd1225a55d073e872f7b54e569

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
72KB

MD5
6adc43889be2355802408402082c30f3

SHA1
966c7d4fee6ce2572d69b2620083692d20442c62

SHA256
c2764e30e2d8892cea20caf672df75fd9998943a4c05d71460c25820724cb9ae

SHA512
66d684c65dcfda55f93beab7f09a3230353d5e8bb493e99af1c771a0a705cf97e389ff971918d9460d48c26f85a8230f50dede09be22d8195600c5946975f1d6

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
72KB

MD5
f2f201a24d80a89094bce0d9275f5d81

SHA1
24bbbb9ce1a8f05a02dddf890e2d9ae50bf3bda3

SHA256
16954d068a3524579d1d699d41492fb8dfd557229f59620ad8335c7334b13237

SHA512
a763f7bb5bb9240065b0b457fff5ae82aa1e70da1e697ff892972dc07f25d3cb657c132a779c6cdb6e7f9178c0cacc1991be80c36523d9b3f4c83fa0fb2b80fd

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
72KB

MD5
146518903870e8c742e09244dbee01b7

SHA1
f6876c61ff7e63225d42c16dff10bec0b0a3ba24

SHA256
2895fa2c770c87d8910750b51753a215c4617ea069c76e5d80bf62e80e28a8f8

SHA512
d210bc2737c11122593e3967b18c0e49116f4b66993793e148ebe5353478160fb067ea26a186e7d10debfce033a3a3a8336c8198d742aaa7a57c4a5610ede62a

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
72KB

MD5
42f54ee6dbc28668e5cb2d77521aa557

SHA1
6c5eff14740180345c7d99340c65fae96d97dd19

SHA256
626a3df4e132feba6309ad5f08c222429f07f33da8a38133e348dbd994acfa84

SHA512
1f0a25420d0d5ae51bf38427d5c74f94ed1cf2b9286b3cab86efa0492992e51f49230012936047d07c39ba7680217bf2d5abcb5f6ee9ea1018a1dbbdbb94fa62

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
72KB

MD5
3c661cd2948c340f1184102ab7368056

SHA1
4a3a8c19a431e37df6c61669eb0744f0e2be7436

SHA256
c668999ebcb7159afb2782ee0069e19c5b00f046a8f7e16ea933227ee41392e6

SHA512
1e4dcc018b6b926cbbf5b6986d51d857a4c33de11894a6924c3a7ca1cc5018983df9fee4a6b3571bcb2b67c92d8b53ab735f4b54e20671b6c4d09c85353fc094

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
72KB

MD5
07cbd77b396ddc2bbe41478817d3d516

SHA1
e10a977baad8cbbf83041393b2c54cbd6008e921

SHA256
f0b2609394c74224d8dad0fdb3b61ac9d4bf7ca4e0ad2ecd9158463101d5bde7

SHA512
5370a11a2fbbc0369cc6f1db8923dcd925c67dbd7f87c61c64ec855da522c6d7f2ad437746dec2c948ca7b2619755f95b7083ce71208453d00c42ca0cf040feb

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
72KB

MD5
59a793944c4647feb51cef4077214a68

SHA1
ffc4dc0098271ed247d10410a56b8f1187a1196e

SHA256
2e74f17c18a1ffbc3ff6f127879a406ec39ca13091fa079f42c0a2397172caa0

SHA512
d43ebae4eec680ac4c1c32a1e765b3143943553e633d5483fcf8534e2a01b0a10fc0983b4a21db51aeae805b804b198b71c45638be2081d548f1dc29039a49c2

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
72KB

MD5
77072b32c0e8dc7f59a4c9f694d9696a

SHA1
919c47b6864489b5519d77da676600cc1af57f3e

SHA256
d0af86e2c620dc5db06d059f7ce6509163c14b0b4eb00d16d89ee60ba04f25c6

SHA512
2b018f8a6b45a1ba855ca7e9ea7fefc3b75c872b5566cd6b813b88c501016b4e997ef1b0aa3a74b13691df2eea9d3a671c7dc7460f6de6c36ad611945fc478cf

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
72KB

MD5
763daaeb3bf354325e127dd088a3ad87

SHA1
17dcea12aac94f32c1933334425cad9d48d4a1c6

SHA256
a7370f68cdf3d095e7bf8fcb51e9c138bcdcbaf688eef3b05aa47ee9120935f2

SHA512
7f27558ed11038d0760dfa39413c36bad0abb18bd255f6af5a32f306154fbc75412283c7003496efc04c1b0e48ce86d40638606c98865ae186cd592482874118

Download Submit
memory/404-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/628-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/656-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/656-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/920-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/968-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/968-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1048-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-503-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1468-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1636-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1736-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1736-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1932-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-510-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2416-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2576-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2712-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3016-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3016-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3092-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3092-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3160-527-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3176-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3176-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3304-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3384-485-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3472-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3612-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3640-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3640-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3700-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3744-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3756-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3908-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4052-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4100-521-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4124-497-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4200-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-533-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4776-211-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4852-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4852-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-462-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-516-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5088-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads