berbew | 5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
Size

96KB
MD5

d20ca5403eb9d183fcf74cf69f4db070
SHA1

e3ca2581173abc916c32593971e63cee10bb987e
SHA256

5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183
SHA512

8e8e4ec1811fefb04dfe80812750c03590aa2a1419a5d06d402321d9a01bc789cf81c573068342ea3d5bc9883416343874a125ee003d04a8212af329641e48a7
SSDEEP

1536:Vy4L8lLEqKIbQ3P7Kixrdq9XLGOI2p2Lc7RZObZUUWaegPYA:kY8eJzKgq1I2icClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 56 IoCs

pid	Process
2888	Pmlmic32.exe
2640	Pokieo32.exe
2636	Pjpnbg32.exe
2284	Pmojocel.exe
988	Pfgngh32.exe
2836	Piekcd32.exe
2052	Poocpnbm.exe
2600	Pfikmh32.exe
1252	Pihgic32.exe
1868	Pmccjbaf.exe
3052	Pndpajgd.exe
2156	Qflhbhgg.exe
1772	Qkhpkoen.exe
2476	Qodlkm32.exe
2188	Qqeicede.exe
1340	Qgoapp32.exe
2296	Qjnmlk32.exe
2580	Aaheie32.exe
912	Acfaeq32.exe
1664	Akmjfn32.exe
1308	Amnfnfgg.exe
2256	Aeenochi.exe
2116	Agdjkogm.exe
2392	Afgkfl32.exe
2528	Amqccfed.exe
2904	Aaloddnn.exe
1808	Agfgqo32.exe
2692	Ajecmj32.exe
2312	Amcpie32.exe
752	Apalea32.exe
2132	Acmhepko.exe
2064	Afkdakjb.exe
2596	Amelne32.exe
2824	Afnagk32.exe
2704	Aeqabgoj.exe
3008	Bilmcf32.exe
1856	Bpfeppop.exe
2576	Bfpnmj32.exe
2440	Bhajdblk.exe
1316	Bnkbam32.exe
2292	Bbgnak32.exe
2352	Beejng32.exe
2484	Bbikgk32.exe
1660	Behgcf32.exe
932	Bdkgocpm.exe
1728	Bjdplm32.exe
2092	Baohhgnf.exe
2524	Bhhpeafc.exe
2708	Bkglameg.exe
1812	Bobhal32.exe
380	Cpceidcn.exe
2364	Cdoajb32.exe
580	Chkmkacq.exe
2828	Ckiigmcd.exe
2808	Cilibi32.exe
2656	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2852	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
2852	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
2888	Pmlmic32.exe
2888	Pmlmic32.exe
2640	Pokieo32.exe
2640	Pokieo32.exe
2636	Pjpnbg32.exe
2636	Pjpnbg32.exe
2284	Pmojocel.exe
2284	Pmojocel.exe
988	Pfgngh32.exe
988	Pfgngh32.exe
2836	Piekcd32.exe
2836	Piekcd32.exe
2052	Poocpnbm.exe
2052	Poocpnbm.exe
2600	Pfikmh32.exe
2600	Pfikmh32.exe
1252	Pihgic32.exe
1252	Pihgic32.exe
1868	Pmccjbaf.exe
1868	Pmccjbaf.exe
3052	Pndpajgd.exe
3052	Pndpajgd.exe
2156	Qflhbhgg.exe
2156	Qflhbhgg.exe
1772	Qkhpkoen.exe
1772	Qkhpkoen.exe
2476	Qodlkm32.exe
2476	Qodlkm32.exe
2188	Qqeicede.exe
2188	Qqeicede.exe
1340	Qgoapp32.exe
1340	Qgoapp32.exe
2296	Qjnmlk32.exe
2296	Qjnmlk32.exe
2580	Aaheie32.exe
2580	Aaheie32.exe
912	Acfaeq32.exe
912	Acfaeq32.exe
1664	Akmjfn32.exe
1664	Akmjfn32.exe
1308	Amnfnfgg.exe
1308	Amnfnfgg.exe
2256	Aeenochi.exe
2256	Aeenochi.exe
2116	Agdjkogm.exe
2116	Agdjkogm.exe
2392	Afgkfl32.exe
2392	Afgkfl32.exe
2528	Amqccfed.exe
2528	Amqccfed.exe
2904	Aaloddnn.exe
2904	Aaloddnn.exe
1808	Agfgqo32.exe
1808	Agfgqo32.exe
2692	Ajecmj32.exe
2692	Ajecmj32.exe
2312	Amcpie32.exe
2312	Amcpie32.exe
752	Apalea32.exe
752	Apalea32.exe
2132	Acmhepko.exe
2132	Acmhepko.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pihgic32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
832	2656	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmojocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2888	2852	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe	30
PID 2852 wrote to memory of 2888	2852	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe	30
PID 2852 wrote to memory of 2888	2852	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe	30
PID 2852 wrote to memory of 2888	2852	5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe	30
PID 2888 wrote to memory of 2640	2888	Pmlmic32.exe	31
PID 2888 wrote to memory of 2640	2888	Pmlmic32.exe	31
PID 2888 wrote to memory of 2640	2888	Pmlmic32.exe	31
PID 2888 wrote to memory of 2640	2888	Pmlmic32.exe	31
PID 2640 wrote to memory of 2636	2640	Pokieo32.exe	32
PID 2640 wrote to memory of 2636	2640	Pokieo32.exe	32
PID 2640 wrote to memory of 2636	2640	Pokieo32.exe	32
PID 2640 wrote to memory of 2636	2640	Pokieo32.exe	32
PID 2636 wrote to memory of 2284	2636	Pjpnbg32.exe	33
PID 2636 wrote to memory of 2284	2636	Pjpnbg32.exe	33
PID 2636 wrote to memory of 2284	2636	Pjpnbg32.exe	33
PID 2636 wrote to memory of 2284	2636	Pjpnbg32.exe	33
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 988 wrote to memory of 2836	988	Pfgngh32.exe	35
PID 988 wrote to memory of 2836	988	Pfgngh32.exe	35
PID 988 wrote to memory of 2836	988	Pfgngh32.exe	35
PID 988 wrote to memory of 2836	988	Pfgngh32.exe	35
PID 2836 wrote to memory of 2052	2836	Piekcd32.exe	36
PID 2836 wrote to memory of 2052	2836	Piekcd32.exe	36
PID 2836 wrote to memory of 2052	2836	Piekcd32.exe	36
PID 2836 wrote to memory of 2052	2836	Piekcd32.exe	36
PID 2052 wrote to memory of 2600	2052	Poocpnbm.exe	37
PID 2052 wrote to memory of 2600	2052	Poocpnbm.exe	37
PID 2052 wrote to memory of 2600	2052	Poocpnbm.exe	37
PID 2052 wrote to memory of 2600	2052	Poocpnbm.exe	37
PID 2600 wrote to memory of 1252	2600	Pfikmh32.exe	38
PID 2600 wrote to memory of 1252	2600	Pfikmh32.exe	38
PID 2600 wrote to memory of 1252	2600	Pfikmh32.exe	38
PID 2600 wrote to memory of 1252	2600	Pfikmh32.exe	38
PID 1252 wrote to memory of 1868	1252	Pihgic32.exe	39
PID 1252 wrote to memory of 1868	1252	Pihgic32.exe	39
PID 1252 wrote to memory of 1868	1252	Pihgic32.exe	39
PID 1252 wrote to memory of 1868	1252	Pihgic32.exe	39
PID 1868 wrote to memory of 3052	1868	Pmccjbaf.exe	40
PID 1868 wrote to memory of 3052	1868	Pmccjbaf.exe	40
PID 1868 wrote to memory of 3052	1868	Pmccjbaf.exe	40
PID 1868 wrote to memory of 3052	1868	Pmccjbaf.exe	40
PID 3052 wrote to memory of 2156	3052	Pndpajgd.exe	41
PID 3052 wrote to memory of 2156	3052	Pndpajgd.exe	41
PID 3052 wrote to memory of 2156	3052	Pndpajgd.exe	41
PID 3052 wrote to memory of 2156	3052	Pndpajgd.exe	41
PID 2156 wrote to memory of 1772	2156	Qflhbhgg.exe	42
PID 2156 wrote to memory of 1772	2156	Qflhbhgg.exe	42
PID 2156 wrote to memory of 1772	2156	Qflhbhgg.exe	42
PID 2156 wrote to memory of 1772	2156	Qflhbhgg.exe	42
PID 1772 wrote to memory of 2476	1772	Qkhpkoen.exe	43
PID 1772 wrote to memory of 2476	1772	Qkhpkoen.exe	43
PID 1772 wrote to memory of 2476	1772	Qkhpkoen.exe	43
PID 1772 wrote to memory of 2476	1772	Qkhpkoen.exe	43
PID 2476 wrote to memory of 2188	2476	Qodlkm32.exe	44
PID 2476 wrote to memory of 2188	2476	Qodlkm32.exe	44
PID 2476 wrote to memory of 2188	2476	Qodlkm32.exe	44
PID 2476 wrote to memory of 2188	2476	Qodlkm32.exe	44
PID 2188 wrote to memory of 1340	2188	Qqeicede.exe	45
PID 2188 wrote to memory of 1340	2188	Qqeicede.exe	45
PID 2188 wrote to memory of 1340	2188	Qqeicede.exe	45
PID 2188 wrote to memory of 1340	2188	Qqeicede.exe	45

C:\Users\Admin\AppData\Local\Temp\5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe
"C:\Users\Admin\AppData\Local\Temp\5f05a3daba5e23ceec5720f0fabf72a29a5f4a18d81ac0cb56b3870cf87a9183N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Pmlmic32.exe
  C:\Windows\system32\Pmlmic32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Pokieo32.exe
    C:\Windows\system32\Pokieo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\Pjpnbg32.exe
      C:\Windows\system32\Pjpnbg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 140
        58⤵
        Program crash
        
        PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
96KB

MD5
645d6cbb4c0cbc2b01388416468eae84

SHA1
5ccb4ecfef9913065f6743bf2158bb768d73dc30

SHA256
41964f3602eebc20f99bd729892a9132b5bab12e762dc240f21eaa0de240955c

SHA512
ec9cca67ec85e837f1bea4e2123ee06fc2c893b0fedcfbb325d042dc0c8414676f84b31a51e6ecb1049c3285fa667098768e0ed2709f1b58f1e72e082798f211

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
96KB

MD5
f4eb1fd5b7a0450b4e9086de01c318f5

SHA1
ef67cd0cd23b85fd4d3400bc5fe92ce6982e9844

SHA256
7760cbe3e88cd8767645efe81d9541e8010b416574c84ab4f705bc383ad35896

SHA512
9d60b4b5c4438f51cc00c6dff5c0a155a96e10268b1b97a7b80824899851a4677dbeae360ba5c507d63143fe1dd672d4343cc085b0e1ce0b3a8986056cafba03

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
96KB

MD5
e67dc57917c6bc174b4f914814b2cf28

SHA1
44ad53965c500bb58db1c5863a312462ad2be38c

SHA256
58d62bdbca4cfbe8a7829e32665fd1093a53ff8bec19c4b65218712c8252e18f

SHA512
a417eb1723019bda4334e90c24f5cbb3c0940461efa338a17651f31f5019ddc912bb29b61759178bfc48266e417e48dcaa659f624658ad5db0d2ba0e113e9c1c

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
96KB

MD5
f5140c043149a56b795e5ebf12232030

SHA1
f40903714493e8bde9f571c73c56ba6fe5f92b84

SHA256
d8b835081f4d6d16775d058737a0cfc8ada4c9a2c42bf4daed6bb1eacb966431

SHA512
33416cd25b38f480c0d7b4cf36fe04a59898b6ca6c08b67c320f3fc123162e237f9849354a7a899298d4fb166958a422e5628707c7907c7bada3ccdd6d8f3e89

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
96KB

MD5
32f868477ea1c465124f333ebef4321b

SHA1
aa150f62acf128076a44a176511f102873e128ba

SHA256
8b2ff5229c2b768d7edfbb7990e61a83e17fef8b7ac8a47f76be87f37e919b1f

SHA512
8e3e9fcbc67664970c3520ccccfef00f3f0d2f71438c68ed380fc0ffb2aba0c680915b526fbbe1f9b0cf93c03faa86392ff7a61f85ee6bf6e31228e19d8fb45c

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
96KB

MD5
772499b849dee1397fe73e4a965c4677

SHA1
fdbee8398c08e9e0031ad36a0fea7ed1944a4b01

SHA256
440c96df2ff3dc4bb557bf2627e6b72a64d85054b019ec11089d0dcc0fc53c71

SHA512
228c6346f7863437ddfa0dcb867a591b4b5229d57502f035cb6071b434e07c9cf88d056dbf4fdcacf008a61d59b276752ff83c1dea8a217fc13e087b0d8b20ac

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
96KB

MD5
da5ec35a06a830e6587721c7bd470c09

SHA1
a0d05055af91cb7b71229ff892f4e327f3ec9676

SHA256
cbbd4c01c54e8784364eb07ccf227e7f5e9a20e4c5d52aa569b40299f44a506b

SHA512
ca36b9f37f436369a0c8bd0a8122e52236d1ce48ee7d8ea84cd79ddf593d0cef392d651fbf9001e76ba5d37711b5a63c7e7fc3c619e46c96be25e0bbaf618c51

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
96KB

MD5
9f90f0bf03062c00b52c756b0798f2ba

SHA1
232e75888e613beb86db5f683f21b8c9bfc21abd

SHA256
e139fb2ae91936cd22f16c059078cdd46d165043b29b2ec3ed5b51c57380c399

SHA512
fa2507743d02c6f430ce017d790379814a8ceb59071aa5a83009f7d713706a4cd5ca23f82d3808df928400bb12feb6b7cbbd30dccad58bc37eed75ffc7604078

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
96KB

MD5
4f5de4c9b33a8db019db38c89758a6b8

SHA1
84a724f15bbd6c8a8f7996f209338dfb690909e0

SHA256
107dcd8ef9eccb433dfeb887fb6b4f1e792569c15fabda92a8b84ac82db5475b

SHA512
c6e86d51bca1ba44e9c5967a0359c48da8ffe6862824b3d98ae93395910137737360d303f85c7879eca7c806c592448abca6f029ebda28825b7743c0673c0f4a

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
96KB

MD5
570a613cdba565da8d2e86f7032c53cb

SHA1
9ceb3d5eb8c8bb569e621542faa590b7d0138b09

SHA256
22c1cfa6bc7c2847dc77266bb03c0182c2b6f20e9b4df9379fbe547954021fe5

SHA512
1f45c5c0ae10fdbe7bcb7946618f2bfcad2a521c7ec2f98e417e29a1311c069ae1eb950dbe265429cf15911fe5afc82912ea93b4b4a616051284e827589a5720

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
96KB

MD5
b6ccfbc515c80813c00f1bced3ff9a21

SHA1
3a4a6d55177250d405f8a871829c7b894716b2f6

SHA256
44f270f2e54b90a2ff56d50266a2a23b55ba1f7fd69bb5b5fae974a7431947cd

SHA512
dbbe7f65b8f98c6dfc881d508cfec86a7943820d5899f0b514de0e1f9ea1818e5d6761dec25481632810b8d7bf1e2e2d324a46d105f52061a165443df9aba9a0

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
96KB

MD5
9183d9773b7f6f5b2e7de4af0ed6b326

SHA1
bacd9efb25ca2244ef72cc414c66054eed36e43f

SHA256
e7d98401c48d430464bb58fbd9e446a167cb54a103e2c823d3c7ac43189cf388

SHA512
ccff9d25980282fc620e0540565664e0ad9125d6c31292f93b79d6f6e9ec02f717ca453dc2dfef300d3ee3c0798b3e5d71244cead0ad4dca71066af5c12f93f6

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
96KB

MD5
5c2bfaf90032ceb221af331bee04424a

SHA1
ad50ccf727ff01d2533bc145aa5ba3ce234dc156

SHA256
b9a0ad5e4899967a2a73b05bb40dfed1ab8df15bd13d9d70d16e09aa78869dc1

SHA512
73c6c32a305d198e092ecdf8960fe440e30b35138d3afe3029720c01537061456a7a68b7b58eac148a8346ca17cf300418823a0d923b18f425daab266504edc0

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
96KB

MD5
158ffa3607a8fa0e7d109f48ecf09f42

SHA1
8d0d10a3352178e6bf64ed5391c17873fd8b941c

SHA256
e80eb1ec7317e542cbc18c194fcd770848b3b14445df12ca3ebc3a0698edbf65

SHA512
cec1d3ff60befc419e36a590559e080894ea402eab6679b85775fd36e5bce1201f53eafedab02e1319ac5d3cfe2c66ae7b91a212bf6fe1dd748f987ceb5e14de

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
96KB

MD5
2fafa8046caa30ee6da24d2b9b88e1e6

SHA1
c1e355ad7b9d729609ca13d909c6936f3426a7b9

SHA256
9b0c0cef70629000d5f33b7f1d098d1bf67eeac35e7c86557dc7df0de72aa99b

SHA512
8a44394653ac7a321309efe11410d6076ec8d43508751f6754ceec595dab4e92a77eb8b021745df23372742546ff6e624bc952a2cf5d6f5d0201967208dc4cf3

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
96KB

MD5
8fedf564af3d24d9034f4d46d766f3cf

SHA1
3be6ffbf4d3e5900123c0048112336892cdb988c

SHA256
d1e3f4183fd95c6aae475f700f70ab8c06cb71c2820208aa0a188dec52a878e4

SHA512
5c13ee1c6f0c609700e9056c4c1752d94cd7ef3dd52a0b5fefe74c76cd313f6929e52cd4ce0a3680b9283831141a0eee91eb745248e92d488ef80d58d533a5e7

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
96KB

MD5
dc2ba69cb85a2e28ab6afe853c44edbb

SHA1
fb25420d36bc1b854e4a4fbefa68c983267b0eb1

SHA256
745e1f58765363877c2f2199ad4a952c01ebaa15cc47fbbdcaff50cc83befcb9

SHA512
c511ef176d8dda1c6f13289e4594c93d14c4e1ab512248d0735bf2412206c1b17fe483f37bf11e78dc8954fcda0f352c0d7109ae023bdc5eae25324cd0f24d42

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
96KB

MD5
5de01bbdf32ca8e98d2244f644668e75

SHA1
97d29b00af6a8ed0955bfc8924653cbd0958aaf2

SHA256
4f1cf819174d7dc12bfbdfb1e45c0ce37595c3d71cb46e7dbb48c274b25b1507

SHA512
d8aac98573523723573aa13e61bf684d7030737a15796b93b3a2fe0302cacd726b6983f36ad2bcfdce3bb3ebeb4bb5d36f75acfb738dc12262518edba5b787dd

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
96KB

MD5
2d19062f5d5c4099fe3c1f9ea562c34d

SHA1
5f0eae3f67000d031d80a50c152df8107f9f059f

SHA256
139c04abcc9186ba1e3f90e52faf4616a33a59cb6a21790620ef11ce35dd33e4

SHA512
2c62adbf7a3d27dc3e95659d89b11259e853615fdcdee737cd1ec8e8c66ce1a9b6b82a456643256c96d5695e6c12a6b78e63bf1ba415afe571e0cd3c8b5a1707

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
96KB

MD5
a015dde3de9ca4bdfedb43b7c36551c1

SHA1
6947f8d81753b84847c162149167293b2b1f6dfb

SHA256
001f060bade47a3ac6f7276352eae6505c63e0a8190c665242b0e313e046d99c

SHA512
877a4dc1f1441c1be4265869d61fa8cfa9cab281607fc29ae57c640daa8e81425e5d918598ecb6e46eb7e5d16b004f66b2ad881259b8ad5669bb77007915cb40

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
96KB

MD5
4dad201c2ce145f58cda5047669c3500

SHA1
462e65e84b8a081f8df8a67a4c008305dee36810

SHA256
01559c01a57f90dc3ebca5d6ba1186caea06fa077984729d25855445a5471ef2

SHA512
e1f60d0065152469e26c840e1bf98f16edea24c0574aaa99ae1ad06186c9b38b0bd23b4c99297239486c3b1f46fa63c97d414799b6ca4078cec7c3c8f948aae3

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
96KB

MD5
fe945876b5ea64cf407499882d949124

SHA1
79541cccc8938b85708b419b1785c74739890363

SHA256
0d0e78a1f7ef01ff54111357a1e879b8d11c1eb5d531c1e0c07f39455d702a65

SHA512
60b4a6b82d88533defe18cca0806be330dec5c4dccbdedf21970589bf7cb9f04849a5a5ef1835725b4a5de98f4f52631b424a1a4b4cd3b3cfc0cb0018f3b0509

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
96KB

MD5
93ade0d6aa88e1a9911268ef78c4ed45

SHA1
22db92c6834b782ff3025b05f94d993197618225

SHA256
8008a5c0578c8287672b4930040b3774bebc1b42eef24148120bf6da96471d9c

SHA512
092b35c9fc4d4959f007fa9f9e562e69ac81c27bb408d0e09b06a21601c26c00c5b30e2f762e8b01780f6daf366d81b180061666f38bc6ad7b74a57046b43725

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
96KB

MD5
225f08062d6efa27ac9aa17dfabf7798

SHA1
adcd1f4915d9cc3c006c8058ba5fe8e9cf429cb3

SHA256
b9a9ed4e576ed0155169bf400ee8ff6c591aa39d848cdab379d8d58c5d303258

SHA512
dcdad194d8b1f66a9c413a8e29b818153ad584bc2577f2a47c4a021ca6409add38994c45bffe0e7058202b71752a9185dd5f90f945795a345b52b759984d5508

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
96KB

MD5
484007a7871bf1eb66cea838a3823fe2

SHA1
576dd0f23aaf1ccd359cb5a6d12e4fc861821124

SHA256
e7e1b586cfd8f5bdd928cd15cfeec043eecdc21dd53b7de044760fab18b14df9

SHA512
7337ca08f2563bb422fc569abaafd19ba9adc05e5fdd427e6092f78a8b9313b122edad0f93b80f59be0762558e6ae32604430f4effd8411800999ea7636dadd9

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
96KB

MD5
9231adf16429c48beb790538d97c77f1

SHA1
c255e9e480ff46a1ff9fd79fc951e86b4138804c

SHA256
2842daa2ce14cde4978e0fa72aa0fbbd7a940a37e98d0a9a92debab70860479c

SHA512
5faa7673f8ea44e9dd25ee6f6d97db324040ecc2a9db604973f380711bbb4eae6cdad298b6059565e2d33e4c4543bc355cb5fe5f29aa9b83cb9f3de2000cbdb8

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
96KB

MD5
57380bbb81c772f8c8119c4e402f98a6

SHA1
798ff79ec3d0cd3b9bcd3862c722df6936d8d707

SHA256
8a331d863fe5d1697322e1fb288fe908525f4a0e3d6e1a5279bbc7f79ebed93e

SHA512
8baf3710027a5a1cacf0cd643cee6960313827db512c12374b905e726f1a2aa6d6bdb577893b5b7fed8ee668f94bc45438f9230cfd0923248f4d3cade10f19fb

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
96KB

MD5
b06c0ab586f663f37c48a676734d1e2e

SHA1
2aafa8e4300d853580a20c49805747a0c331f314

SHA256
6dda42c5d2bbdd732d93efb9bf2c9d04513e0e7441b55c622e446c0d26c570e2

SHA512
6a7b2c4edcb3aec136f4cbfb2d391573dc7e21d57d2fdded5e502c986fee63a2824f8719c99379ce56e6da7e622f5b4eada2838bb766ed597e99f14eb6e83cd5

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
96KB

MD5
4f0a483b932a114ad0daa5d2809dd770

SHA1
7c88c842dd56d26e1afd994366a4335871d3b369

SHA256
ef21a0060ed425aef20d5f464e20edf20262646b1ce3e9d35fb42a1811b1396f

SHA512
560b48cbae1ae9d9e37ec7787fcf7c480dbb64657087f7f0a187fb215bcf0afa964db17d2a65e4374c521e784bfbb6f0eaf3e2322f123cda275baa31087aea01

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
96KB

MD5
7eb7e80a47a79bd72c2453cba1fe3195

SHA1
bbf1af2359e72edb379c737e950b6f1cacb596ce

SHA256
00382ee0ae55194c4a37a59e11c1b650403c415ed7fb950b308121efa190b5f8

SHA512
24bc0ffb3a3a94124bc237ac97ea72a9b6b08cd6ac924cfa4dc104b7ef82797389b5b14ce7cd44d9577a539f929d91373e85e0b774a9bb39713b6ad50694b9bf

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
96KB

MD5
90b442d15402b6d3e171536302433f2d

SHA1
e041a91d7ab66603ad931469c69e0eb5899fe7be

SHA256
248d85d96ae922385addecd9d8c31bae8b48e9c50cac080e58c7aca15a02971d

SHA512
bec74a7a8e4d2410dc83e85f18d7d2b8154e077aa4999161adfc1d168aaaec628fef875e085a950ef7d5adc0de5442b5e841d03c18f008e424a14f05319de966

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
96KB

MD5
2bf6254a2334a717834b619bc05daef1

SHA1
7524f0ff8b118386a39f7d92b9dd90d888c6d363

SHA256
b17b355d9169c9456ee6179f95ce16741dc9137c608fa35e8f49d404c264f90f

SHA512
6806e54e06ba2b8f2dc3e2a42460ff2266917d584422d00df6e46af6dcf8663bfca11ca1bc9616864839bbc092c722601094ba045203ef817ca45cb62a32021b

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
96KB

MD5
60daa23223db328b4da639859462bff0

SHA1
dc51a116d94ff063ad5c6cc4cc62deb722b46257

SHA256
fa914ddd7008e4d8b05ac2a77ccb02d9b0268d559ac477c5875161a3ffdbb5a1

SHA512
fa48df7224fe7d19c2697a5cbc535a9d426fe6553721150bc0e0988c10f1dbf7d46366f848aceee90bcbf7b9897c2e9adf5ee3463d0d3be469f542bb88429caa

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
96KB

MD5
975fca25afd7c94388c870e809458faf

SHA1
7edf7f2817ef328a5cc98e7c0f4f85e0fa12231d

SHA256
4aeebe45bc88e8414cc4f3beb78fca21292b1b67060d397147a706f90b2416d3

SHA512
8475783d527a157cef69a8dc1c3f5236a64544f09610c2b016ec0493b065e1838e867349d744caac8e42668db3c79f7545b6c1471c7dcf66f546358ea16a3949

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
96KB

MD5
2df6287dc263a8d1d4a6bc2d01e62efd

SHA1
59f25d7306b9ab7e9dd003fd299690bd345695b4

SHA256
40992a11cd41f215df4b8791ec42ccfed0531cf038b5247cfec9c3be548fec43

SHA512
6c9c4a7e97ffca4cc2fa37cae66c0e0f34bf73ef8484bf83e25bde71f271a65feff2e4a8083daf65fa711981e15e40c2012bbf96a3ec36e5f01335e35b925e52

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
96KB

MD5
5a6cbc1da5685892650cffe5a05c4dc6

SHA1
b6ac66fa8a530449cacab46b88c0bd14f6d24e5d

SHA256
4171eba79be4457dd5ff8be1e2f2b84520c61ec766e7dc43230e126a9f655290

SHA512
3a89560f82f01c3fe57d610d0db78aa3f78d68161350ae5de847e5934aff1d8307ddaee5c7c0861526114b4cc7499a69274c5f2c55f4d00955e2e7dc1f9b2eb6

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
96KB

MD5
d5e3e8cbd7b68fce97a0e559a185e723

SHA1
a23c5df81ff18b92e3edac08bef681adaf736e85

SHA256
deee86aced5243699beb94690e59668abe6fc0615c5edbc76c5081d1622f2f8d

SHA512
6b570cfce26e19561591babdae7836f6e5ad1798f7c120bfdab577863ae54d5651aa29dc5e892272e81c4d539b04454e2ba17eba996a1fba1d267dc97171955f

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
96KB

MD5
b9e471d62e0bb8e46163b9d96b506192

SHA1
068761b4ec92a6e287835310c46d99417609cf82

SHA256
0c8f4f069a5fce6ddd6097571b0c51370307efe02c6d489408db57b028218e2f

SHA512
86729a95b8e316e1181b2d16f42356028c713b2df77deef931b62250c25569a00ff4309a6931d72b24e061c7d75d308ec2cacc98930b66a74ce32275ad6d5086

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
96KB

MD5
516ffa496eb2c4bd1e3bc02fb75bdf64

SHA1
901ccb1ab15760830c980e22b8c5654fd0f21e9b

SHA256
2d656d54ae43bf0b56bf543ca1a71278d8a5fd9f0b05afe6059e686c0369a4d3

SHA512
673a2cd1932fee82277b90fd25ba3df1fca0f8a5739ab493e9fe38cd9512213386d949f18a91f4c304fc67920656e20989bc491b7866d4673e5c4286fc9d9a8a

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
96KB

MD5
925fdaa023562b8059ac0265b56e6711

SHA1
c597cd4beafd4701f66107306fb6fa02f37d1624

SHA256
cd68a2456c16227c4aef702c969947bc4c29e624ab650eb65a6c6b1d08dc0c3e

SHA512
205053ad66e98928d4b55d6668d42d9f0dc8e70094d7d888c1f78ac474ab0718c80dc5f30e42a21cfdff708618c188e89ca57682ebf2f51773fd727ffbfe7635

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
96KB

MD5
601bb5e1166e9126ecf16aa7813e4566

SHA1
a983f8c53dbfc43144b31ea81b70b2422080e436

SHA256
d1f13d7ec6622271164531984220bf9c9a9d65f2a06a943e89445580b7dc3dad

SHA512
98e1b6ecc8b24a33c499b2eb967f9e440cde19ac6f7522bcc99630f9663a1446e4bcf7730f5c8bf07f6f180c25398b3662c8f5b1970350e7f775147bf6cd805e

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
96KB

MD5
30ecb71b212af3bb593b0ff5e397a96f

SHA1
41edf248e7c9bd31a9d8cb34351ed0c77a5434dd

SHA256
3728aa6c1b32249d1ba90594c6232083b9ead1d468d7afcab8b6e6729a8f1b36

SHA512
395f3aa0634724b86663d46d7c6d1e6ddf97b3f4301e9bde5aabb12e8894f0ea104fd2faff5a2ad74f6dbed81fe69d2b6be82ad9f6d5bd9926a558cec3e5fd06

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
96KB

MD5
1a521954c912505ec9031f120852d3a0

SHA1
fb9eda2e6792bb9166197e32986d5a2dbf7195f1

SHA256
82d66877f5e40a01c80a29bfcfca08d5401ab40bfe2d948b164c9b8c5bd25706

SHA512
167379273aea2d1b3293b242db921e3aab40b3a7a74345281232335e56b86b57ac79ad63ad365b284ff99de3b85c4cc1f1a0162e7b631eb85182f13641e22b01

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
96KB

MD5
c862b5d651a7acc30b56e4562d26aa10

SHA1
055f290bf8d2c474fbd19ad2c155071f2e35d08f

SHA256
26badc94f3e5b848d579259926582c6991656ccd99078d4a2b90dd5e35c34697

SHA512
9575eb0099e8954a436bea955faa329b8ecda0a58a9ec9c58dad0a9bd8745080abfb4945189064b5abf77ece0ce6489758ae71f2d9aed8c416b90f7982cb4731

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
96KB

MD5
66605a5394790cd3b941126a72a1fd68

SHA1
e2a7dba3a382fcbf803ed7c8da41b1e5f0131313

SHA256
68165c1ab7d338138830b01b68ae40f6f9be6175e978330b240187db7d677796

SHA512
a4115b4b1d2f701771ea1e635bebe38a725aa31332974b68f3e8ed8554be60ef1e85b6f26f6f6a3b7ce7365249b06f5032abe40bf31259518ec4d24af5b4e018

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
96KB

MD5
18df9bf5e978af2f4008fe397708f964

SHA1
c4225cbf1ce1953bb966929eeffd6559bdfbc916

SHA256
825d26e3ce2020e5ed8498dd1e041047bed277de40bc9c5a00625fb4e3d2d9ab

SHA512
636b37122cb8cc407ee399b272fd1230d51af74b082d02dddd22ef580c1a6e763f780e549a81c1098d1883b1c3db70fec2e67581405d9bb8fd52aacb7c9a78be

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
96KB

MD5
b7e0d5b4d97a7dab015e9236d69759b0

SHA1
1f2e077bc2f5b800cc15989ba73dcc91b450a3f2

SHA256
a657c511011e76692c76da4f42bdb360f595e40637c58f145af0e4f7e8646206

SHA512
c5085554823a92fcc75f2c7ab162961aa7dd908b2866010c1e8af758139a71a40ae4e991627887c1fa829161fcf0abfcc26d492c2e0525037479e8f538dbf32e

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
96KB

MD5
2ce99b744763ded9947a5815165601d8

SHA1
5fe35e98b25f523ef6b5d0589b926f6fe7d80567

SHA256
94c3819b24c63b8e2c7dad9586c5daa4037241aec5b1e205aa56c4f52ee06680

SHA512
f2b3663467f19d4f66d112bee4daf62a21dcda9a038ab52c769b3815e53d5e505de351929422ec762427d2d3b5c9cbfc8b8b0da576026c7ac4d8ecb4892d01de

Download Submit
\Windows\SysWOW64\Pmccjbaf.exe

Filesize
96KB

MD5
e9c0875c128ad588751f57d3fecf7aed

SHA1
e378c6108e7dbe55d7297fc7f8975a5eb32a26e9

SHA256
1a9b6e43bac5b6a0b0a11a2a26dca13ab0d1c8551314ae5888325df30b6ddbd2

SHA512
b1ed83658b7c0c8851e954de6f3c703c9a2dd3a797698a87b8eaed8c8f686ff17f57628c23e18d04850b22baf6980901e2947e49b8dd9c56064779b342ecce4d

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
96KB

MD5
e1721939d1eca8cdf0b59e2abe0d7938

SHA1
48efb4ee0b49d24ea89f257e10d354bf2ac90985

SHA256
4a6af544772ba01e1901b369c164525052bde77870bf3daffa88612e04b65ceb

SHA512
eecaca0b33d6ccc1a01001106d719634896b64dc46d958192f2f710838a68d0be3b34d1fce2359c6df618503c5a1fdc687f3a3491d12fb708cc8b8fd03891dec

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
96KB

MD5
c201c35ffd45e1534de33792417c205a

SHA1
2293dc9b4a1d7159db30e1b1d0859e5179f4088b

SHA256
8695df96b34c719af548b677ee1c22db8b2f594924c7c58c9c932205a6e17f86

SHA512
effbf097076f21b11eeb3fb941004c59165e3af1a3d3e2d1d569b9d3dd62262c49bd097c34c0435cae36579d3d60ea6ec2b0b0143ecbb85519e6956625a7447f

Download Submit
\Windows\SysWOW64\Poocpnbm.exe

Filesize
96KB

MD5
79a4e57f40d744f83e576cf7360d2841

SHA1
0c1af97f4b079bd141028d329f729d6d6bcc8bb3

SHA256
4dcd945d4a8217a69245ebdff968468a9b1d27d328d3665e0be72e492e47adc4

SHA512
deca188ab0495766af35a76f778c55f5f661a117a20ace56472c24dee7e8d95ab02a73b20a4f8ec819eb3a5a38751b5a359e9055835ac42a2cbc1702c978e5f6

Download Submit
\Windows\SysWOW64\Qflhbhgg.exe

Filesize
96KB

MD5
2628d00543bff9f14e1c0d29cd9bd366

SHA1
b2537bbb997b1d321ecaea39306f666bee727b52

SHA256
771a89b1e893432d597b7237493d96f130a2d81c582cf15ec71b390f1532c13c

SHA512
251670136221e2e11a99b8eb3232147abc52a6a60002dca4c46d8d9644b783359a8c7b2057016450f00b59ba9fd574376026cd37287001ec83a1d6df02feac57

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
96KB

MD5
05490af5fa1cfc82482330fadcf6e73d

SHA1
7dc2d0af6e82ab348624427042614d4770078dc1

SHA256
ba315212bf9448e361e129383d410887af2004a5890736bbdb741bd136f4c041

SHA512
e3dfd39d999c6e7efe3d8f89b3d5cd719091b7181719e37e99906c1ce9409e7608cd72e89d82e0d93295dddfb6de343e52ba9245883823c06dd0971e531d89c0

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
96KB

MD5
807df69b59efde6b3e2a4e919b5685a0

SHA1
4fda36e403ae33d89d6153680790bba2fcd821c4

SHA256
bbd4da664d2b3a5c068b9ae74255be30d64ca02916592cbeb804ef2a06bd162c

SHA512
2d91a4f63da878c24d6b2b2ce9d86e6bd1f4ae9d6edaacb4a38a9f6ef48d2c5177b6c8b80ada5f0d9a5b1ac0a1f69804f6f967cf23290c8e1edb213e6bc27550

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
96KB

MD5
a61c37161c53f7fba51a025164600c7f

SHA1
7e9f6ddfb990b4c564d2e087e5a091bc91c1935a

SHA256
1aa71d70f83511ddf8c673e3b7819c4589e97de4014b81ee7ecd489ca17257f9

SHA512
762b0463f4c73d52bab2cf51e4363c3c05b6fc49241d6d150124e4def1e3793e1da312f6478b536341bb2ad1e41eb44bcc1303fa76617188586dc60e50a287bc

Download Submit
memory/380-660-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-673-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1252-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-476-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1316-477-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1316-666-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-220-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1660-663-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-257-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1664-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-665-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-329-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1808-333-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1808-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-442-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1856-438-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1856-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-141-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1868-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-384-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2064-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-682-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-386-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2092-667-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-288-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2116-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-680-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-373-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2156-172-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2156-488-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2156-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-275-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2284-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-396-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2284-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2292-489-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2292-490-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2292-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-232-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2312-350-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-354-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2352-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-664-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-685-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-294-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2440-465-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2440-670-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-195-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2484-511-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2484-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-303-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2528-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-308-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2576-450-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-455-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-671-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-239-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2596-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-659-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-114-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2600-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-39-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-374-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-658-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-339-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2692-340-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2704-417-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-418-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2708-668-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-703-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-684-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-88-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2836-419-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-17-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2852-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-363-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2852-18-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2888-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-317-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2904-318-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/3008-672-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-427-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/3008-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads