berbew | c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361

Analysis

max time kernel
78s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
Size

85KB
MD5

f7e49a0f72d9747830b6113f85ef0100
SHA1

fe418d46d4a65b952d7c7e94c863649f1d81ab4b
SHA256

c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361
SHA512

714953dc529032ff681be65ffce9596ae16dcfb820d6def7dce93288e7340da1ac4990b0bbce6e02552f9d94c19cb22a1d6f8657468174063df98969219d8f98
SSDEEP

1536:p5zEfCSfJI7QfA1hJWc7zCsotlI2LHFMQ262AjCsQ2PCZZrqOlNfVSLUK+:HmRfGQIMc7zCsoHHFMQH2qC7ZQOlzSLA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 49 IoCs

pid	Process
2092	Pafdjmkq.exe
2916	Pgcmbcih.exe
2684	Pdgmlhha.exe
2712	Pkaehb32.exe
2716	Ppnnai32.exe
2604	Pcljmdmj.exe
2312	Pleofj32.exe
1868	Qcogbdkg.exe
1888	Qlgkki32.exe
2052	Qgmpibam.exe
1624	Agolnbok.exe
1760	Apgagg32.exe
2428	Afdiondb.exe
2888	Akabgebj.exe
2780	Ahebaiac.exe
1192	Aoojnc32.exe
1656	Agjobffl.exe
1360	Andgop32.exe
2072	Aqbdkk32.exe
2344	Bjkhdacm.exe
2920	Bjmeiq32.exe
2348	Bmlael32.exe
1552	Bgaebe32.exe
2696	Bnknoogp.exe
2812	Bqijljfd.exe
2820	Bjbndpmd.exe
2584	Bfioia32.exe
2560	Bmbgfkje.exe
1876	Cbppnbhm.exe
2024	Cenljmgq.exe
1820	Cmedlk32.exe
2520	Cnfqccna.exe
1604	Cgoelh32.exe
1892	Cpfmmf32.exe
1408	Cbdiia32.exe
2644	Cinafkkd.exe
2368	Ckmnbg32.exe
1328	Cbffoabe.exe
1704	Caifjn32.exe
2856	Cgcnghpl.exe
2904	Cgcnghpl.exe
1788	Cjakccop.exe
1740	Cmpgpond.exe
2972	Calcpm32.exe
3056	Ccjoli32.exe
2496	Cfhkhd32.exe
3004	Djdgic32.exe
2940	Dmbcen32.exe
2892	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2028	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
2028	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
2092	Pafdjmkq.exe
2092	Pafdjmkq.exe
2916	Pgcmbcih.exe
2916	Pgcmbcih.exe
2684	Pdgmlhha.exe
2684	Pdgmlhha.exe
2712	Pkaehb32.exe
2712	Pkaehb32.exe
2716	Ppnnai32.exe
2716	Ppnnai32.exe
2604	Pcljmdmj.exe
2604	Pcljmdmj.exe
2312	Pleofj32.exe
2312	Pleofj32.exe
1868	Qcogbdkg.exe
1868	Qcogbdkg.exe
1888	Qlgkki32.exe
1888	Qlgkki32.exe
2052	Qgmpibam.exe
2052	Qgmpibam.exe
1624	Agolnbok.exe
1624	Agolnbok.exe
1760	Apgagg32.exe
1760	Apgagg32.exe
2428	Afdiondb.exe
2428	Afdiondb.exe
2888	Akabgebj.exe
2888	Akabgebj.exe
2780	Ahebaiac.exe
2780	Ahebaiac.exe
1192	Aoojnc32.exe
1192	Aoojnc32.exe
1656	Agjobffl.exe
1656	Agjobffl.exe
1360	Andgop32.exe
1360	Andgop32.exe
2072	Aqbdkk32.exe
2072	Aqbdkk32.exe
2344	Bjkhdacm.exe
2344	Bjkhdacm.exe
2920	Bjmeiq32.exe
2920	Bjmeiq32.exe
2348	Bmlael32.exe
2348	Bmlael32.exe
1552	Bgaebe32.exe
1552	Bgaebe32.exe
2696	Bnknoogp.exe
2696	Bnknoogp.exe
2812	Bqijljfd.exe
2812	Bqijljfd.exe
2820	Bjbndpmd.exe
2820	Bjbndpmd.exe
2584	Bfioia32.exe
2584	Bfioia32.exe
2560	Bmbgfkje.exe
2560	Bmbgfkje.exe
1876	Cbppnbhm.exe
1876	Cbppnbhm.exe
2024	Cenljmgq.exe
2024	Cenljmgq.exe
1820	Cmedlk32.exe
1820	Cmedlk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Pleofj32.exe	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Fdakoaln.dll	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Pdgmlhha.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Pcljmdmj.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Nhiejpim.dll	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pafdjmkq.exe	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Ibkhnd32.dll	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Omakjj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Pafdjmkq.exe	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Ekndacia.dll	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bjmeiq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	2892	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akabgebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2092	2028	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe	31
PID 2028 wrote to memory of 2092	2028	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe	31
PID 2028 wrote to memory of 2092	2028	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe	31
PID 2028 wrote to memory of 2092	2028	c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe	31
PID 2092 wrote to memory of 2916	2092	Pafdjmkq.exe	32
PID 2092 wrote to memory of 2916	2092	Pafdjmkq.exe	32
PID 2092 wrote to memory of 2916	2092	Pafdjmkq.exe	32
PID 2092 wrote to memory of 2916	2092	Pafdjmkq.exe	32
PID 2916 wrote to memory of 2684	2916	Pgcmbcih.exe	33
PID 2916 wrote to memory of 2684	2916	Pgcmbcih.exe	33
PID 2916 wrote to memory of 2684	2916	Pgcmbcih.exe	33
PID 2916 wrote to memory of 2684	2916	Pgcmbcih.exe	33
PID 2684 wrote to memory of 2712	2684	Pdgmlhha.exe	34
PID 2684 wrote to memory of 2712	2684	Pdgmlhha.exe	34
PID 2684 wrote to memory of 2712	2684	Pdgmlhha.exe	34
PID 2684 wrote to memory of 2712	2684	Pdgmlhha.exe	34
PID 2712 wrote to memory of 2716	2712	Pkaehb32.exe	35
PID 2712 wrote to memory of 2716	2712	Pkaehb32.exe	35
PID 2712 wrote to memory of 2716	2712	Pkaehb32.exe	35
PID 2712 wrote to memory of 2716	2712	Pkaehb32.exe	35
PID 2716 wrote to memory of 2604	2716	Ppnnai32.exe	36
PID 2716 wrote to memory of 2604	2716	Ppnnai32.exe	36
PID 2716 wrote to memory of 2604	2716	Ppnnai32.exe	36
PID 2716 wrote to memory of 2604	2716	Ppnnai32.exe	36
PID 2604 wrote to memory of 2312	2604	Pcljmdmj.exe	37
PID 2604 wrote to memory of 2312	2604	Pcljmdmj.exe	37
PID 2604 wrote to memory of 2312	2604	Pcljmdmj.exe	37
PID 2604 wrote to memory of 2312	2604	Pcljmdmj.exe	37
PID 2312 wrote to memory of 1868	2312	Pleofj32.exe	38
PID 2312 wrote to memory of 1868	2312	Pleofj32.exe	38
PID 2312 wrote to memory of 1868	2312	Pleofj32.exe	38
PID 2312 wrote to memory of 1868	2312	Pleofj32.exe	38
PID 1868 wrote to memory of 1888	1868	Qcogbdkg.exe	39
PID 1868 wrote to memory of 1888	1868	Qcogbdkg.exe	39
PID 1868 wrote to memory of 1888	1868	Qcogbdkg.exe	39
PID 1868 wrote to memory of 1888	1868	Qcogbdkg.exe	39
PID 1888 wrote to memory of 2052	1888	Qlgkki32.exe	40
PID 1888 wrote to memory of 2052	1888	Qlgkki32.exe	40
PID 1888 wrote to memory of 2052	1888	Qlgkki32.exe	40
PID 1888 wrote to memory of 2052	1888	Qlgkki32.exe	40
PID 2052 wrote to memory of 1624	2052	Qgmpibam.exe	41
PID 2052 wrote to memory of 1624	2052	Qgmpibam.exe	41
PID 2052 wrote to memory of 1624	2052	Qgmpibam.exe	41
PID 2052 wrote to memory of 1624	2052	Qgmpibam.exe	41
PID 1624 wrote to memory of 1760	1624	Agolnbok.exe	42
PID 1624 wrote to memory of 1760	1624	Agolnbok.exe	42
PID 1624 wrote to memory of 1760	1624	Agolnbok.exe	42
PID 1624 wrote to memory of 1760	1624	Agolnbok.exe	42
PID 1760 wrote to memory of 2428	1760	Apgagg32.exe	43
PID 1760 wrote to memory of 2428	1760	Apgagg32.exe	43
PID 1760 wrote to memory of 2428	1760	Apgagg32.exe	43
PID 1760 wrote to memory of 2428	1760	Apgagg32.exe	43
PID 2428 wrote to memory of 2888	2428	Afdiondb.exe	44
PID 2428 wrote to memory of 2888	2428	Afdiondb.exe	44
PID 2428 wrote to memory of 2888	2428	Afdiondb.exe	44
PID 2428 wrote to memory of 2888	2428	Afdiondb.exe	44
PID 2888 wrote to memory of 2780	2888	Akabgebj.exe	45
PID 2888 wrote to memory of 2780	2888	Akabgebj.exe	45
PID 2888 wrote to memory of 2780	2888	Akabgebj.exe	45
PID 2888 wrote to memory of 2780	2888	Akabgebj.exe	45
PID 2780 wrote to memory of 1192	2780	Ahebaiac.exe	46
PID 2780 wrote to memory of 1192	2780	Ahebaiac.exe	46
PID 2780 wrote to memory of 1192	2780	Ahebaiac.exe	46
PID 2780 wrote to memory of 1192	2780	Ahebaiac.exe	46

C:\Users\Admin\AppData\Local\Temp\c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe
"C:\Users\Admin\AppData\Local\Temp\c847ce0db96a24619b9621c2366751857223218ca347e258a4c3ca6f07cda361N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Pafdjmkq.exe
  C:\Windows\system32\Pafdjmkq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\Pgcmbcih.exe
    C:\Windows\system32\Pgcmbcih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Pdgmlhha.exe
      C:\Windows\system32\Pdgmlhha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 144
        51⤵
        Program crash
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjobffl.exe

Filesize
85KB

MD5
b4084d2efb6eacab351cec98e21fa7f6

SHA1
18613277376a78adfdda9a201bedb12815e37fb6

SHA256
67dd67528feec3ebac162190e86ab3d10a44f70423a70e21aaac6d51da8cfbd2

SHA512
43ca26b244fcce894fb4e2283e9831371080dfa81624f98a29e2bb06b1508b4be9e07f935858d71060d2da5ca99e058b5a9d9772c4982e49204d30e30970b3ac

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
85KB

MD5
15b66f47efe1ff272cf43925f8a0d098

SHA1
ef952751f4b124b6e52169de8b34b8ab97f5c916

SHA256
c2759aa3aeebc88fcb33e0a10cb68efcccb1b891ee3f4f3a7fe4e923bc71d920

SHA512
c4e5f1532a85c4570902d26c2bbc1c9e30e9e07f343077cde319c04eba33f17ad0f89cbcc5508a6a683bc0ade17b758ad2511c5f25324904ce36990340b6d86e

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
85KB

MD5
0ff828595ab481721bede89fe9341925

SHA1
247649419a4a663704bbb0c3c5bc55374ebc5bc9

SHA256
e38350bb3d15bee170b9d550816f59bf6c9af6daa820ffa3d1c9ba32fbfbb263

SHA512
2ac5e79f2bbc9843d81c1734bf369049c9dc7d4094394872ef1c043a1bd1aa4de1e90230ffcd666492128151f56b567d4f2faad60d98c7634fd56f139eabdacb

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
85KB

MD5
511c182a8b723196a5ad188843d562a2

SHA1
e8a7acd330fc31eae35a59494aebe405f60df917

SHA256
e1371df00063e9b78cd747bcb687e00b0a277bcaa0c96a69ca23bad48a8fd39a

SHA512
5eb27badad77394292421cf76d28a9a939ea102b9570a3aab8563ac1ac23a7463e88f39079eda036831f38d9ce89d148b5177d5b61551b52cf1e9225ee3567ff

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
85KB

MD5
23e8a02aa55c141c8fd0c55bbf36eacd

SHA1
1f376ba61aa9f65d461b9adad0ddbf513641f007

SHA256
075ca2e319501f96257d9b9c21cff196fe70e9e1f983d1eeb3682d10eba9b4e1

SHA512
b343df6f60d488d3c74407cb33e70f72ef30a8d8c095af29d2df77e39d123c987c56e253bf18361e645eb3da5a850045fa672827fd2f1db0b653acced5099b42

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
85KB

MD5
1c8c295051ca762b22ad7735414fbe2a

SHA1
f1b68a0db9907a4545962cc19a23c1e57ea85568

SHA256
77b8e64d4bba00e72ccd6cd4d295365217ea52c3d7c20f03c50e3b35a1b9e071

SHA512
93a4d3c85a827b9d3932d73eeff964227d239b934484bf3f249d801aa1f514e5d4f96573f89982c3099dd18323b3c36bd107ad2960e5f6862d40333e5b3e27f3

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
85KB

MD5
71ace572a8735097fa799b7fb7d70587

SHA1
29bc90231f2aef9728ba4dd91ae944189eb92a24

SHA256
0b1a09f2c5b48f7f70ff3a116e0214e1bc08be022027e68672909b54ed4b0bc3

SHA512
19060f0fb8b1ad3c481e6972726af8543c920275407244d34230c7db0aec10136ce955ac3ce0145a6c03a4a5b519426b7e05ed8e0c6604881bc7f15fbd8f67a6

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
85KB

MD5
489179b7b3e912a3cae164dd28c9a1cd

SHA1
5af5f0d0b2eb563008966c5662681105850adf23

SHA256
b8272daf427cafb1fb258ddfe0da0d97d1e60f98144cbc90281d8855e0b7c379

SHA512
c7bcbec051f960fa3c3fd4c66bc1ff0d3ab78350dc3babc493d0bce13ff704c8eea32941e5790b90b8425a89a08be4bbdf5507160a8b00d894373dbc246df1a4

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
85KB

MD5
3489e98ffff1da220e8a5e245ffd30b8

SHA1
2bbbe84cc10c0bd322e133dcd2192a5867f519ee

SHA256
a09a4b15e960400f9f8738a99943c257ca84f8cd43d7e28355c9c80bbb05c32e

SHA512
d4970ebc37b0780d894ecbb3881371e4c34f174bbb80a04447122b1278bfa83d3d8231a966f27d999f2f715518e83099f897f512244d372e54060e2b48fca51d

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
85KB

MD5
e6be2a67bd16cd08918dea7604a9e73c

SHA1
fd53624b3100de8598ba8025a379ba5bbc43b3c3

SHA256
5f10d5ff60da378dfb3379a7e4584c0e22aa8627614a45ef3258ff86e8bc29ea

SHA512
f7bb5f51bc0ab26757f391f594837ba94288a818359ca4ac7b04c12e6588b192690531a6e63bc85de71b210513ec1b1e0eab14fe5a011c934898288661a75d02

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
85KB

MD5
ac64fcc05c406c50f865f30e691f7eb1

SHA1
990767ae607a5e6f0c35f7451b95fc669bcc60b5

SHA256
d028f75511d96103b4bbc50a9ec224de3292e39852672c6e250826370d438150

SHA512
d64ff98662202b73257c49e594e21dafd36d5a6255ca82645c2d84ad45b4ca6c828819f57c1c140b820fb69c90f228befeaf8c2e976cea2721e73db8933c5d84

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
85KB

MD5
c7bb558d9ef8652bb1fd0c858ef309bf

SHA1
5a1d638a240e21cc0be41215abbcc128cf9e3100

SHA256
4f030f5652269bd61763ea6348336428e4eb4dc137136cccbd81e0e007298d8e

SHA512
00b6181e7805043b49c4af2372dba445e36e3b6fb4c73e28a9b6321b033a730ffa3360e7251ad6a648472eb6447d6c4fcf6544f5665e028e4cd90363a732dc26

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
85KB

MD5
c33fbfe3e9fad2fee9f083f6b963ce43

SHA1
47f6027ed81c5383d04b4fe09fba6f7550dc96bb

SHA256
4f58bf18878e30f842d1b9f6884ad2ce94e89f85296e929d6739723e3496bf93

SHA512
bddc88b4b7e3731a98bd0d6f1418b8c839ec972afe7fdbc581acb36ee443966702d3d17d6747938283fd2d4e8ab5e0c2785c811bfc9edec848e731f2e8f5d11c

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
85KB

MD5
8a5727a1e6bd55643a3e7f595e33c371

SHA1
d2cfc7c2718f9f554f9ff0a39d8d19a1f758d097

SHA256
3aee7521b90a08bfac4af0405f0e59fdf10459e061cffc72f77e1b48cf9033ad

SHA512
6af85d13683a350d92a1ee192e111f0a57eb33a13f0e97e8846ec15316932620eba6bad3b350e41465384125edeb308dd94b05499bae5ff800343dcdc1c32251

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
85KB

MD5
8c3aadd74df070b4652e9d3a8d84bb40

SHA1
ccd1bcc5134fbac581e666b927c15a1231e186eb

SHA256
7ddd0724be91f92c45a55dcd46af434bd979d600e00bbc8f62ad6aa318772548

SHA512
c2e1d11ac8669d59e4967a45ef595faeecf5165c748e250809313faf47f9b68b7ec49c5c011e0c40acb8d5d69bbbb482a501f33eee21f9b192a5fc07ed2af143

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
85KB

MD5
af2c581e3b6b4410958e7443d58e41d0

SHA1
71326d328e1a70ead94470602292e13f941c1dbe

SHA256
7e68ea47c71897fe9b2739a8a7c11fc168e4cca0d5b6116a6ba066adbabbc1fe

SHA512
99aaa1c4ac3cf2895ddb41d70239b862af163c31c924c5a07e922f5420f48b2542665f37daf0df495adf47aebe1481a998500b7d8f549a8d8ae3f0344876fc68

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
85KB

MD5
6e1b2f1b70785ba1a93f6eaf9ffb2429

SHA1
ba22b962c8b004796916f72f91828162319820d8

SHA256
217d91ac196c33340f3a6d21bf7aad4c9a7344f25679522d976c95d1192a5e91

SHA512
e034cb241d8a5172ebc0fff69a13fd5d0c7d93351899707903e849d50b2fd00fbbf11143be74f6088d4ed0088d3e909d5f2e691cc8610f2e80135656103311d2

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
85KB

MD5
7ba53285a325ff5201aff308df025e73

SHA1
75a6203563b29b1a7f4e1a6d71c28c040bcab74f

SHA256
9993f66fd297137905b402e4bc4086b9cb067b4d489a08d2f14af72bf056abe7

SHA512
130b7a7ba942cd1d8c9e9549568683f03f7cccc97014a1e6dfdf882fdb7180da2a520ae252d53d24cf0b3c750a1592f93b71c1f53b683ec0c490ee752fca737c

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
85KB

MD5
1102984b5073fccbb508714f57ee4ef6

SHA1
daa6b03d7f2330ffaf1f1b53e096a2b32e2c76ae

SHA256
07a3914a52f791341f3ef691581880c30b4846e2bb0343ef3267fe4c24b3da3c

SHA512
48a19732d0e5226ffeec0f6e094ed277bf4bedee63ef6ff8d0d4cc9d7077c44698290440f97b81e56222644e08a6d740e654600519ab795130ccd1b05d9fb217

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
85KB

MD5
844bd368ef390e5b3ff80c9742d8c55d

SHA1
e68a011e2077e8fa98910356cc2f9ad32d412e69

SHA256
118e07cb06d8ae1edbaaaadecf405b912113f3bb72f97fc0c992542fe129b4ad

SHA512
0527fb35e078b2fa798e5e37515660b9fc30ee9f5e356ac3aee464a2558825f943c0957d7a3790eeef2c0cf33060355badd542c0ae5c2c8a60f0d146b22b8ce4

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
85KB

MD5
3a9fde61a2900e9ba63a46f80f02c9a5

SHA1
66453eaf0aa519b709a365314278431cfe6a6f6e

SHA256
1737c92e3013e82b2fbb94298a14e831125f35d5ec411be4a5b7e29c6ebf4b34

SHA512
32906c36662b2ff91887b808181974c81f9e4f558caf7cc8728c7d55899030e793668d9d519c55d6f4f51915adfce2806280ff46c1c9fb1c96a2d38a2a81eb3e

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
85KB

MD5
56412d6138f5746090035948234cae89

SHA1
2e247d61bedc76537307f1b9cdc20cae73f1c802

SHA256
d9cc1cc79d12394dc2590f658bb1c4a58975921486dceeb484a8ef825ad8d0cf

SHA512
cd7f502ae416a84b9822eccdf899c2408ba1d26ead83bddee8cd78518e15179efb61b4fe3d86ae0659375f383e96c8b35f8d7574747c426667b085ab4452569d

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
85KB

MD5
c53cd293c40f2644227da0d311850297

SHA1
73a4e37eee980eca627d177d87234bf33eb3bf91

SHA256
43b258b677f2c5f541ad24201080ca679d1c564494ced5946447ccf4a3f96e0d

SHA512
5a0413e218f84616861e80f7c4f8edcc12ebaa8e0e6a6b3360e157506f723b5da0ea6b5e19eabf3fb3bebce910dfbd74801b6a92f1025d0c07606d75d5769a10

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
85KB

MD5
17734ebfed4f5d30bf7e2d465090f0d7

SHA1
d41be71575d5465e0380f216c55d7b810f174582

SHA256
6fa9d18a0c9f7aaeb92bdf2fdf3342b50a1e2c09382f42121ee64bb6091670bf

SHA512
a4c941d8f19397e4add2f003bd981a25b50fb281503e913c0e46503af8c4456e57efbb726afc5722c874c7f926018439616f999c63fd091529d9f57cf043e2be

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
85KB

MD5
4c1a4994b13ed0a3975126b268032759

SHA1
84e996969eddf4d9f4c23fc42aade7a902fb443d

SHA256
fb66b24b661cb932d706cd963b52cd5272aab381fe1383f3b1fe10ca580e5b29

SHA512
8922ede00e1d392a05f8eb7c283e6a77c65a65271e9483d9bba45aaa42e8770fc1673c76a3f9a3626c8b65b73739f0ae6f61b8362e84d24d9699670833701815

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
85KB

MD5
1a2b9766f64e8a8be983a29e090b9704

SHA1
426b8ad82d45c9a4455eb3ed94b1453742cf25ed

SHA256
f3ee00218da80d5a97da518a3407ed1ba8566151e1da55ca40f2eb318a262068

SHA512
a625463fbc3264bf64b23d0d14731e13a0056a5decd71f3ae9a115bf0acf8d51379accd11ba9fc2fce6c668c517c43f8d6d68c509b7218f9f162ea8044e220d6

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
85KB

MD5
92e65e8e42586837f31bc194c366bccb

SHA1
c84664d48a3fcd59a6e47f3da6012ec4b9010a1e

SHA256
83e3170a665e94893ff15dc0d141104a91452bef038f9b9aada4efe33d1a0e7f

SHA512
190ec0be01763141025e3394bbe2ab3df83e804345f1c28e8016e6cd35cc4d5091818afcf57e5c138d5b484f78fcbc4167d4392e896ec08dbd8066769f86e6bc

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
85KB

MD5
7fcef284c42aeafdbe43498027ce6e48

SHA1
bc89c12ffac2a3066c477b2a6f3ed8a93f9c4ec4

SHA256
ce4332ab561c3527bc6103a22587de66764ae8e9c6223208beff109c6b9b3cdf

SHA512
32afd663046ad934d6f9bf7c3c6f1169ba9c1e07ea9c0356b4ede27f65cf15e02cb4ab5b0d38439aeaa90f471289860cdd9dcb5c84a0ffa5feebb85697187d09

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
85KB

MD5
ea98d67e578ea2bacff6aeeac4cdaa20

SHA1
e1caea503dcdf359be0b0204fb9fe8fa28c21827

SHA256
9db228bfa64e7fc3ce9ddfac5e8396640beea215c093716a803ba9db344a2992

SHA512
02224a0a0ab58ae3a5d8072798660768c21a3ce1b05321fe3fb9d0eeea1c5527d015842e3af5876cc9042a0e33faae9abd6c4f47382d446292b5007f55f9dcb1

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
85KB

MD5
bda8bab469d15b64a755eabf4984c61b

SHA1
8aa734bfd258d662d713b19b8e028e761e00d760

SHA256
edc40fef1c588ee525a49dec8597ef41bf6c75f2ff3c2b90063f6f463c092bc4

SHA512
f3453e82ccb9616824200ab7feef700b54c2fbb2e07753b0d7beaed38f78df3a9001aef6cac9b9cb4f614a51a982522f54f220b3bcaa5018d16ada045eddc147

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
85KB

MD5
bd04a0564e3139cd87317abe2b4f02d6

SHA1
def815183b36da89272f0281912ae4e9a9cfcb92

SHA256
021d742d113cab19c955cb3770f5fdcc95596060020be7754ee709ff40c04557

SHA512
b8b962e412dc9c8d71b18700b1bca92122a632ad76d69708a8287d981a89d884b3dce7539bed695aabb6ae463f68eecd17d8c4d911e3230092108106acfaf241

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
85KB

MD5
11f454f09c92ba29b15b0a1680b8b70a

SHA1
f60c26a4e6c34f513c73da6bf874dab78ebb222e

SHA256
85f99cc12a710cc25c1a31f30efe2003e71945198691f3e19b42969e4ad98ae2

SHA512
b7f200af2ead776512c9f020502cbb2158af3ac088b1e4cce5905b445c4492353ee7a2f9cdbc4dd9a7a987cb321f9da255288616026aaa478ef43a07b03f3bdf

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
85KB

MD5
c01275c19eb6ce354814fd5e29e3fa90

SHA1
0c9b27a6f4ee875e8279eddb0ae101084f9c4f29

SHA256
db34327af2afe873deaf8e8bb0f04a9ffc73072ec98be7a978aebcd73dddfa9c

SHA512
b74b2e25ccf382ccaceb91a1ab938b2ba178e0814139d986c6e62ee22915780846d52d1142f73c41ccee5ff6c60e02fa07070d726b1180ea1d7988132087dc08

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
85KB

MD5
f70593d061b18d17187da8b78dd98201

SHA1
e174e0e4b8d90d57eca759a30dea632feda6fa8a

SHA256
25e25b2492b9400040285e464e549eeb104637f486d21bdd928628b588b6f61d

SHA512
f22f95d2863f0e57917f100aff051807d20507971fb5a290a3b5a44eeb970ab56dc70489af49334b394dc65dbd4f445226f08e1f58eb74941dec0bdc214370a1

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
85KB

MD5
36a19b08783646fc46f47694135f294f

SHA1
cea58eff9b93ddb07d48e843e84b7467881985c4

SHA256
149fcc6a2e0ea7d123191432fd33964976e2f41a2df080c38b1fc9197474d27a

SHA512
dc2fff25b362ad1cebff06e52a93f50ca8ada577204133ca7a6570633c5ddb064e498b8f65b37e5dd5e87fc36cb0f0e81d1561fa2f4120a1d75faa74788f6f68

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
85KB

MD5
85962c4a85595591043cec8facbf9914

SHA1
1e7979a6bb54d324aa9f1108537b77dba280107e

SHA256
0a6d39e1c24fac01569d607d8867413ec5254e9b389e1c27cfde0d567bfc24a8

SHA512
41ec220b2c96d5a688c197c804f6da05a7164d394eed621b6bc03a4db932733e18aa271e01f9e2e75739c4aaac73a6a0747045113513ff7bc2ad6e81529fb0e1

Download Submit
\Windows\SysWOW64\Agolnbok.exe

Filesize
85KB

MD5
7efca1407f1fa10a2faa62a95748ab32

SHA1
009e5db3be484191ecc981ff13fc58ffd46c5f28

SHA256
c184302d7e90e171d50d7fa25a553ff84e01390022fcc390498649a4e11d3f94

SHA512
6fd5926acd6c3a894ca5a193218b52d42bbc00e79f0ca83a6e844130c28f0764e584928949588efba1ab678708ea4263fc98776f929e7354f17a008d99e8582f

Download Submit
\Windows\SysWOW64\Ahebaiac.exe

Filesize
85KB

MD5
ca64bb26f2026c8ac7d41b6179141a7c

SHA1
d1cb056ddc9eb0c919d1d2b3fcf22c9ba6500de2

SHA256
ac3427b675aece3fb100b4a676a51189ec0a7e46070d92cc5c1d7016db546b71

SHA512
a4b452077e84421a089f6212de85a1778a9c0015f7aa22990f9813db0545d0ebfaec25eb1e901983538333c7b820b139dadbf66a6edba4ab4b8f407ceaf055d9

Download Submit
\Windows\SysWOW64\Akabgebj.exe

Filesize
85KB

MD5
f472fef57bd02bcc7fdfdd2fc31e88bf

SHA1
b3e702c9228e3114fbcebfb07b3860be51847676

SHA256
545ae794b44d6bfb80777e30989ac81629bb3b365edc49727b02b90ce5e124d4

SHA512
52cf6b7352b7ea49a548e0adee6b9b719e0323ccc47ea0da57364205c170df3ff12568c6d75b7e3dfe225e78e028596dd6515c63ad10238584ae5c319883a77f

Download Submit
\Windows\SysWOW64\Aoojnc32.exe

Filesize
85KB

MD5
60bf1a5805d697b5fe7225d551829729

SHA1
b249f8ad7daf70ace68f528f712c670cdf7f1d5f

SHA256
b2d325ef68a05f1425f188f89e53844e90e0995c245e21cf531a21d28a4a1812

SHA512
73d768b454bc05f782fc4e9d087feb2b1e8c5cafb6d0a0d54f603e7b4448946ed765b0d74870e4d993b6faf244d419bd7ac161b6837040db250039d1ef3595e1

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
85KB

MD5
379ef2bd7f9831d801bdd0b0c370ad98

SHA1
7c37632c451dec6a3d84b7ede03f156b9f270525

SHA256
caceeafa9f13bf72b4eb08f7cb0a5199ec64f1c828beb000ea53a9529885ca6a

SHA512
6e9791b87dc26d663dccd33d0194cc1f93940a0f782c3f95dc7322437f460c840a31cb2a4bff33664add98e19628dc80abe246de6b9d4a33f6a92bd0e664c195

Download Submit
\Windows\SysWOW64\Pafdjmkq.exe

Filesize
85KB

MD5
97fe98dcacdcaa55bfd52f537ea77afd

SHA1
629a20c882eb71e91aabc4d8d3abc2e1ba1099fe

SHA256
3812e6beb4303f2c241c21648ea4c75cda67df7b998d31c919a719abc1049526

SHA512
b9e4ff8229814d8115c65e20947ec34345dc50e4a03e0303bf7a917306c7ae7b3414c4eec16bf5e3267f9e06e90fcd4921382e7ef190d0371ef6b14c0b502364

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
85KB

MD5
2c87eb2a862f35376d6475e06891d4b4

SHA1
c85ad86dfff902ad7e99e5068b6f7f622be7798b

SHA256
0c8043d45248b9b6cb679e5746128fae9894ed61e124e8973d464cd192548c63

SHA512
93f35ee3ee86a63d63416bb10535bee0267af723bb1083ad9526a356e834c86f8ccab0fef205344827c48c2efea983d10c6e3c2b14efc5ae397f3865e87d2109

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
85KB

MD5
21630a2d383b876f713f994088f0e383

SHA1
9ccad37ddaa4ecbe231fa4f3461b0a05111fef29

SHA256
715811678390ce15a0192a61e8dbe7bc07e82b6e8927fb61517956380c350284

SHA512
ee0f911265f1ea6e5c8df9819f4d58910d2d001be09b29a6fe89fe01288c0b2a9761bf9a1992a5ce705e0bf11b4d9c70ff518069a56e773d0b4b95850088311c

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
85KB

MD5
cf256d8ea0c49fa13c99bdfd83c5c177

SHA1
dd891395c76c2f4caa7925de13dc8b215e102f1e

SHA256
39ba2b92581627c14577f6f555b325a66260cbaab395ff2cf2e97dfab3e70160

SHA512
a4972c60cb0a612acb247653175b11833100d23a8b351b6439fa4d872a85ad41f5bc91e3ec17bd18dbefd18823f80f0666576c2be0ab59fa90ee580fcb577f46

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
85KB

MD5
f6b30d46035ec72752fc09cd01ad63a1

SHA1
9aa5aa3363a21bbb430ad3d8a7e99242ec0799b8

SHA256
2a1bcceb9dfc828571af2b1b030b8e68b781d8d67e6b15572715890e3b1a6177

SHA512
2435102fe28b3f6e8245bdf8169c1cdbd6934a1768e5f0152e90a62e7226275529e20c2644ed72a8caa538d8d0c5673f8ddfec411b783f56f82a67e36507eadb

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
85KB

MD5
5cb20bd1a039fd806ef5d9bcae60277b

SHA1
62bd5c04b93fb903d5fc1ffb6d58a0e2d38c2d72

SHA256
d4e93243ec8fc04912dae47d59c8f53de64f91e022b31f61290be600b4838ca6

SHA512
630ac2e6f5d0545f8c192b5746ef3872c2fcd35a3f57b0fabbe11abe7b8ceb11f2c636b4a4f919ca852e89d717b8b55a15c547ec0d470a21b1f33af1de2eb857

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
85KB

MD5
49603a20a38ca090f10ac36cfb25b3d3

SHA1
491ae363ac8db4e509e37f78d7638ca4bef2836e

SHA256
80da8bb3fa500128589876e63dbe7da4449cee63fbb2a7ff4e50d97f8966a653

SHA512
13af72c79f6d021ce7f324f8824d5d22cc493dbe6e33c60be908eacbd667763765deedf68b7a842057aaee6dde48ed84344771f01a69bcc6dad6cfb7de9267cc

Download Submit
memory/1192-244-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1192-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-264-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1552-324-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1552-323-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1552-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-359-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1624-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-185-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1760-192-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1760-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-413-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1820-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-175-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1868-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-123-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1876-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-391-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1888-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-190-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1888-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-12-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2028-6-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2052-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-152-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2072-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-278-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2072-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-111-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2312-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-158-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2312-160-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2312-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2344-325-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2344-289-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2344-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2344-326-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2348-309-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2348-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2428-249-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2428-201-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2428-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-377-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2584-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-402-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2584-369-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2604-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-92-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2684-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-370-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2712-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-66-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2712-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-112-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2716-128-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2716-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-77-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2716-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-236-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2780-270-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2780-271-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2780-235-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2812-347-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2812-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-381-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2820-355-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2820-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-216-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2888-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-35-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2916-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-299-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads