berbew | 10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099

Analysis

max time kernel
83s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
Size

93KB
MD5

da34ae52616b3a977434ebf2ca5d8900
SHA1

40209ededafba8febc99aad96a95afe721ae0559
SHA256

10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099
SHA512

9e858b0376663393790c6c62599d2efd8e59336c1641acd52da6f1e8db4c3555728f078342737adf6b93a417105822add32d81a25ff1d7ac0c1bee8eeab1ad0a
SSDEEP

1536:6CzLUSGWJL6GQOuSeecqcnO5GhWH/lkEJtrwVbjKWcTqxjiwg58:6ohmqOnO5GhWdkEJBwNKWceY58

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piicpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdncmgbj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 58 IoCs

pid	Process
2832	Piicpk32.exe
2728	Plgolf32.exe
2660	Pofkha32.exe
2636	Pkmlmbcd.exe
2808	Pebpkk32.exe
1748	Phqmgg32.exe
2652	Pmmeon32.exe
1328	Phcilf32.exe
2632	Pidfdofi.exe
896	Ppnnai32.exe
704	Pkcbnanl.exe
1764	Pleofj32.exe
1160	Qcogbdkg.exe
2884	Qkfocaki.exe
2160	Qdncmgbj.exe
1032	Qcachc32.exe
1924	Apedah32.exe
1940	Agolnbok.exe
1728	Ahpifj32.exe
2448	Apgagg32.exe
1552	Aaimopli.exe
1132	Akabgebj.exe
568	Aakjdo32.exe
3068	Adifpk32.exe
1696	Alqnah32.exe
2156	Anbkipok.exe
2740	Ahgofi32.exe
2820	Andgop32.exe
2840	Aqbdkk32.exe
2564	Bjkhdacm.exe
3000	Bkjdndjo.exe
1840	Bmlael32.exe
1668	Bdcifi32.exe
1248	Bnknoogp.exe
852	Bqijljfd.exe
1164	Bffbdadk.exe
2708	Bfioia32.exe
672	Bmbgfkje.exe
1016	Cbppnbhm.exe
564	Cenljmgq.exe
708	Cocphf32.exe
2056	Cbblda32.exe
2492	Cgoelh32.exe
1380	Ckjamgmk.exe
2136	Cagienkb.exe
1504	Cebeem32.exe
1692	Cgaaah32.exe
2992	Cnkjnb32.exe
3064	Cbffoabe.exe
2664	Ceebklai.exe
3060	Cgcnghpl.exe
2984	Cjakccop.exe
888	Cmpgpond.exe
1516	Calcpm32.exe
1988	Cgfkmgnj.exe
1508	Djdgic32.exe
2864	Dmbcen32.exe
2940	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
548	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
548	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
2832	Piicpk32.exe
2832	Piicpk32.exe
2728	Plgolf32.exe
2728	Plgolf32.exe
2660	Pofkha32.exe
2660	Pofkha32.exe
2636	Pkmlmbcd.exe
2636	Pkmlmbcd.exe
2808	Pebpkk32.exe
2808	Pebpkk32.exe
1748	Phqmgg32.exe
1748	Phqmgg32.exe
2652	Pmmeon32.exe
2652	Pmmeon32.exe
1328	Phcilf32.exe
1328	Phcilf32.exe
2632	Pidfdofi.exe
2632	Pidfdofi.exe
896	Ppnnai32.exe
896	Ppnnai32.exe
704	Pkcbnanl.exe
704	Pkcbnanl.exe
1764	Pleofj32.exe
1764	Pleofj32.exe
1160	Qcogbdkg.exe
1160	Qcogbdkg.exe
2884	Qkfocaki.exe
2884	Qkfocaki.exe
2160	Qdncmgbj.exe
2160	Qdncmgbj.exe
1032	Qcachc32.exe
1032	Qcachc32.exe
1924	Apedah32.exe
1924	Apedah32.exe
1940	Agolnbok.exe
1940	Agolnbok.exe
1728	Ahpifj32.exe
1728	Ahpifj32.exe
2448	Apgagg32.exe
2448	Apgagg32.exe
1552	Aaimopli.exe
1552	Aaimopli.exe
1132	Akabgebj.exe
1132	Akabgebj.exe
568	Aakjdo32.exe
568	Aakjdo32.exe
3068	Adifpk32.exe
3068	Adifpk32.exe
1696	Alqnah32.exe
1696	Alqnah32.exe
2156	Anbkipok.exe
2156	Anbkipok.exe
2740	Ahgofi32.exe
2740	Ahgofi32.exe
2820	Andgop32.exe
2820	Andgop32.exe
2840	Aqbdkk32.exe
2840	Aqbdkk32.exe
2564	Bjkhdacm.exe
2564	Bjkhdacm.exe
3000	Bkjdndjo.exe
3000	Bkjdndjo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Phqmgg32.exe	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Andgop32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ngciog32.dll	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Phcilf32.exe
File created	C:\Windows\SysWOW64\Ppnnai32.exe	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Phcilf32.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Ahpifj32.exe	Agolnbok.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Piicpk32.exe	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pmmeon32.exe
File opened for modification	C:\Windows\SysWOW64\Pidfdofi.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Phcilf32.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Ekndacia.dll	Apedah32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Phqmgg32.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Cfibop32.dll	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cgoelh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2192	2940	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piicpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll"	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bkjdndjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2832	548	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe	31
PID 548 wrote to memory of 2832	548	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe	31
PID 548 wrote to memory of 2832	548	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe	31
PID 548 wrote to memory of 2832	548	10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe	31
PID 2832 wrote to memory of 2728	2832	Piicpk32.exe	32
PID 2832 wrote to memory of 2728	2832	Piicpk32.exe	32
PID 2832 wrote to memory of 2728	2832	Piicpk32.exe	32
PID 2832 wrote to memory of 2728	2832	Piicpk32.exe	32
PID 2728 wrote to memory of 2660	2728	Plgolf32.exe	33
PID 2728 wrote to memory of 2660	2728	Plgolf32.exe	33
PID 2728 wrote to memory of 2660	2728	Plgolf32.exe	33
PID 2728 wrote to memory of 2660	2728	Plgolf32.exe	33
PID 2660 wrote to memory of 2636	2660	Pofkha32.exe	34
PID 2660 wrote to memory of 2636	2660	Pofkha32.exe	34
PID 2660 wrote to memory of 2636	2660	Pofkha32.exe	34
PID 2660 wrote to memory of 2636	2660	Pofkha32.exe	34
PID 2636 wrote to memory of 2808	2636	Pkmlmbcd.exe	35
PID 2636 wrote to memory of 2808	2636	Pkmlmbcd.exe	35
PID 2636 wrote to memory of 2808	2636	Pkmlmbcd.exe	35
PID 2636 wrote to memory of 2808	2636	Pkmlmbcd.exe	35
PID 2808 wrote to memory of 1748	2808	Pebpkk32.exe	36
PID 2808 wrote to memory of 1748	2808	Pebpkk32.exe	36
PID 2808 wrote to memory of 1748	2808	Pebpkk32.exe	36
PID 2808 wrote to memory of 1748	2808	Pebpkk32.exe	36
PID 1748 wrote to memory of 2652	1748	Phqmgg32.exe	37
PID 1748 wrote to memory of 2652	1748	Phqmgg32.exe	37
PID 1748 wrote to memory of 2652	1748	Phqmgg32.exe	37
PID 1748 wrote to memory of 2652	1748	Phqmgg32.exe	37
PID 2652 wrote to memory of 1328	2652	Pmmeon32.exe	38
PID 2652 wrote to memory of 1328	2652	Pmmeon32.exe	38
PID 2652 wrote to memory of 1328	2652	Pmmeon32.exe	38
PID 2652 wrote to memory of 1328	2652	Pmmeon32.exe	38
PID 1328 wrote to memory of 2632	1328	Phcilf32.exe	39
PID 1328 wrote to memory of 2632	1328	Phcilf32.exe	39
PID 1328 wrote to memory of 2632	1328	Phcilf32.exe	39
PID 1328 wrote to memory of 2632	1328	Phcilf32.exe	39
PID 2632 wrote to memory of 896	2632	Pidfdofi.exe	40
PID 2632 wrote to memory of 896	2632	Pidfdofi.exe	40
PID 2632 wrote to memory of 896	2632	Pidfdofi.exe	40
PID 2632 wrote to memory of 896	2632	Pidfdofi.exe	40
PID 896 wrote to memory of 704	896	Ppnnai32.exe	41
PID 896 wrote to memory of 704	896	Ppnnai32.exe	41
PID 896 wrote to memory of 704	896	Ppnnai32.exe	41
PID 896 wrote to memory of 704	896	Ppnnai32.exe	41
PID 704 wrote to memory of 1764	704	Pkcbnanl.exe	42
PID 704 wrote to memory of 1764	704	Pkcbnanl.exe	42
PID 704 wrote to memory of 1764	704	Pkcbnanl.exe	42
PID 704 wrote to memory of 1764	704	Pkcbnanl.exe	42
PID 1764 wrote to memory of 1160	1764	Pleofj32.exe	43
PID 1764 wrote to memory of 1160	1764	Pleofj32.exe	43
PID 1764 wrote to memory of 1160	1764	Pleofj32.exe	43
PID 1764 wrote to memory of 1160	1764	Pleofj32.exe	43
PID 1160 wrote to memory of 2884	1160	Qcogbdkg.exe	44
PID 1160 wrote to memory of 2884	1160	Qcogbdkg.exe	44
PID 1160 wrote to memory of 2884	1160	Qcogbdkg.exe	44
PID 1160 wrote to memory of 2884	1160	Qcogbdkg.exe	44
PID 2884 wrote to memory of 2160	2884	Qkfocaki.exe	45
PID 2884 wrote to memory of 2160	2884	Qkfocaki.exe	45
PID 2884 wrote to memory of 2160	2884	Qkfocaki.exe	45
PID 2884 wrote to memory of 2160	2884	Qkfocaki.exe	45
PID 2160 wrote to memory of 1032	2160	Qdncmgbj.exe	46
PID 2160 wrote to memory of 1032	2160	Qdncmgbj.exe	46
PID 2160 wrote to memory of 1032	2160	Qdncmgbj.exe	46
PID 2160 wrote to memory of 1032	2160	Qdncmgbj.exe	46

C:\Users\Admin\AppData\Local\Temp\10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe
"C:\Users\Admin\AppData\Local\Temp\10305791d27a0be9e488b7cbdeb1f7a567e3914f9560e652ce40f70b348a6099N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\Piicpk32.exe
  C:\Windows\system32\Piicpk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Plgolf32.exe
    C:\Windows\system32\Plgolf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\Pofkha32.exe
      C:\Windows\system32\Pofkha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 144
        60⤵
        Program crash
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
93KB

MD5
178b9b463b299b1c466cf5231f1b4d63

SHA1
0a34ed53ea6dada9f869ca8d2e41140eaf11e088

SHA256
9e23fec85457b651a5a7f222344d19854ab17d1ffd1f2743ab0b294b912c9e9c

SHA512
ba580c93b56654f56c84c805777a2c7b500e64907d5dffc5a9c302dfb1bb75d54e70b55a2b09f2d298c5a250c5b0b19181c324ce0226d526002e39b593cf5ccc

Download Submit
C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
93KB

MD5
a054044d9975269cb6e28ffd1eae5245

SHA1
bc34694e8eca7bafb670d05c08df68427ec84349

SHA256
804640260e0ed6d52762bf4aa1fd6f7b43b290ae7c975fd651b5668328abe0af

SHA512
6ca4e9dfeeb86cdef9df7a2e9c8e15a8d4e5f3905d5f20d2e6684fdae2dec83eb37649b8be42696df873ed50e4b184c0e7719cdd0dc8b1862ab01aa0da3d82a0

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
93KB

MD5
03f0b91d1cafb6ad8e26d74630d80cae

SHA1
71b6ebce44c79846e7389991e189d4518fd488ff

SHA256
613d9bb1a3cf5fdf86091c3b7859b73cde7b903ca3890203844f9e746b138d0e

SHA512
eb7afb30f84f2308ac7b34e409ca3dd163d44aeeeb070a77e5c14f626057c20f888ecbce2e2efd6a5bc8068c89bab0c1e8cb133f05c9297025d958c00e844e5c

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
93KB

MD5
720420c8406e71d4feb19f3d64991a8b

SHA1
985e8cff5b2759688bcb3e7e59e6ffd69c1b151f

SHA256
54beb3d68a292c3127818b4fb7f4ed9db71aaf3a3cc2ade9a5ce894f497a0681

SHA512
10f03d074d47cee9d9560782eb9b47441501b2575d1a75af3b6a13ca69ba261904f0acbc1a1fe1f4f6546a5facaf81515cc8190a708eb70ae90addac41ac6c71

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
93KB

MD5
8dec1500c495aff24b39b1b8e62d65e1

SHA1
e4a9579daff0928e85eb94472eaad9b0779abd92

SHA256
fc6cc385d3fa6870d1ea3b3f14df3d8dc6f9890a98a99e70e4e81c59d027494e

SHA512
77e84fc07bbc0fc6ff4419fee9f940033dfbe2088fe6e22b801786f56df613fda24361965c1b39c7f394086c744de3b2e30d681649d91f808c2f0157d1267ec0

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
93KB

MD5
dd99a2a13a60e9b63fd7356ece4189f6

SHA1
c746fa8250ecbabafb0b7caa969e16ed96ccd4ca

SHA256
73c77444a3bf3ee533a4b1b86e2b39b9306d451418391908893b76d21966c360

SHA512
793629bcba449568e85af23ff93843a6e4a8dcf379162300ace82b8d81c2e12014f2acb8ee918483a816879fa075ca3227f0d59928f295bad6dc825dd8cb42e1

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
93KB

MD5
602c3f991d05b99954b5ab1adb04e858

SHA1
08dadfde3cb8b03aeb1897286da60eb37d2216f1

SHA256
0cee5d0a3c6f09f244cd71b88983a8d5675e1757c5779fc2011810ae7506d9ff

SHA512
d2377208f77c594b35414fb840cab985cf88f2ce61971a9d394e172850872a8f02a04a3382e8a40b5be4490585f801dc07ca7392a518cce75d2ee5abb923ecc4

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
93KB

MD5
ecebf369bc43ce8e585b3763b8aff4c4

SHA1
fa3a38b29c01b290eb741521b0dcbc4065e083f4

SHA256
bc6f48e4379f362bee20d5ad96e0dd22ebd3ef26cdc831819900bd6a7cce95fb

SHA512
d00e5c9d561573b6ed2b67df8328cef43395e9683dd3c63c0e192934b5d06dbc6239e79c63a03e8f338cb986d6b1b9b5e5fed72ec1c2c65bf8e67d9d5e9ba135

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
93KB

MD5
539690dcbbbe9d37c98b20e55ef288a2

SHA1
29933e62f9c2efe49d97905f62efe4cb8f928c1a

SHA256
57335d49a899c054ac7a858eaa1517a05fd358ad2acf14fdfc986e7a285ce69e

SHA512
d9dcbb495de0db19613ef2da9581b0d80e8831b0f591ab9d89ee8cf0b4a31d010990ce70367bd3b1b2f73ea414f316335a4cc356af9da99ad1231417be81c2fe

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
93KB

MD5
057b952099ae3c7592001fc367ef4b2a

SHA1
59c47c639bbda44fff4d270355ae9c6f60173ab8

SHA256
3cd1b88d16cc02136083f4d95d302ee4ab00e2f972ef9ea8df6646f7b9ec3e29

SHA512
81fbab895f6eac013d2348f83dc0ca59d611bf9fed7138cfd495c6b05a02c318871ea9178e269206afda9b853aa356c1aaaf05798e9412489aa7d1f68554d72b

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
93KB

MD5
3cc72751b1e4f116bf8c254689be693f

SHA1
b9b8cd4fdb1fe266d73e546bbe7723974f49b06e

SHA256
c52f74c9a6e28dcdaf4e922a4ad7a357ec7de0ecc903511b201e69c5fda91ff0

SHA512
7720e6dc105289083568cf93a579d56f6e9bfc46b504e5f8eeb9aba935d1c66873e2087fbddead41117c5ce04b9c8760f4ac3c6c24e2d2b90a2baeb1d732c7bf

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
93KB

MD5
471b9480e014b99bdc92e765eb8f5707

SHA1
cdcbefe17aeb96d7a9615c19493e5bdb153a2ec2

SHA256
206a7a409baa6b005cdc77480df3abcc6d374141cd782d73f56b09e0dc89e5c5

SHA512
42d0f79269e9a0a04da9dc80bff705a93f5ea971a9c3798020fac9b7e878b31d2ffdacf1a69125f9567de7d03c5d55b5c23d90180ea3f069e478da8783dcf93b

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
93KB

MD5
0631bb925d12b5fa99d4d2668ebd8aa5

SHA1
46a0e9cb3db8b32ae340f46aa73e5ae9dee2a19e

SHA256
5ad25c4772f41ecf19b3444d59d6bb56d53522d26b2972cb28f69072fa8c0d81

SHA512
c85c4b40274e1e0290206de031663c538ce682d1ecfa6e9237b3f262b5ab9377030179e80914e53511994cdf2db190a076028bc1d6716865da5230410cb189c0

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
93KB

MD5
13d8dbc15286365cc45aad27948e59eb

SHA1
ed20135df84790496c548e6c24d797ed0181a605

SHA256
5923482e29f3085585743c3f967f22868f3b41dc98149c814d0401f11b683ec7

SHA512
b3eecac9ce15e43c6749be82e75b87c44b133be4d8f6fd32effdbd947f33fb31c80458e38c667b4759d576d5f8b4f97dc8d7aab71c01cdbb930267bc53cf8a65

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
93KB

MD5
8c1d605fc1c885e57dc6dd8c4fcae0bb

SHA1
7d5db72ec1ab5bc483aba0356275047ed70b39ce

SHA256
b56bd88b7dae8a19ae8744fac84f82251d34019c0e1288d472bdfb1d2bb554b6

SHA512
fe3d440fb864efe8f1c35d95edba807c20947f899636e7d0307ec8f020754248a71c9c5c08d891eb021abc140f702781eed0750542392206a9171fe39fcadc2c

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
93KB

MD5
c08ffe451cf621c30b0507b915dc6bcc

SHA1
2e895d12f92c034d934e7ac04b574634000bd3e2

SHA256
cd2661330bcfd6b8f2da0fff071925e68fdc436be317ee6303723fe0990be25e

SHA512
e40dc345f24ce142f27358a233f614a9cd5f4a9a7d7fc4a49f88e839e5ab7c3a0ce01f0e25b0b33e2cc5e63f19e76ad0c1d5b0f97d9df0b0560c7edfce8357a7

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
93KB

MD5
7be12f1e630b30523c39453a0c3e37c0

SHA1
6f8e200d87a1ac6dbe4b03e90193d01295a138c3

SHA256
1e0336cc72a3a28c3043a600a4978ae5f429127e8792ecc62f2de765608db3d6

SHA512
980173fb1a5b1e249c7bbbd1483a91bed9a2f31644d5346f9b62303d1e102f08761928ac70494e4406de88f2e248da93436f9e6dde705219519108d5db02fece

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
93KB

MD5
be6857486b67e946439a29754b4b9013

SHA1
303c04aa62005ba5c0215abc86ff57da22eb54dd

SHA256
d15f96c48a29b77bc7a57b9c25e1e9ad4164d89463a0752833f5f9a80d9ad218

SHA512
4511f4f6545773c52d8b1570b84d4f6426b0e9cbfe3371fd646eb58b4d71814fd1e579ca91aad78e91c5f08f10199ff2b5d6a765eaac567881d8b9eee192e255

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
93KB

MD5
1342210f98607756109bd2c30b32f9cd

SHA1
37eb5c91990ecfe2e173caa6f127b228ca6fd19c

SHA256
5cd0f4900ce2ab45a38fb01f482fe94ee3d38bc12035c4d2f194cd84837a8234

SHA512
c0453150c269053c5e617ea125dc91ab4ed89a96cf89802b3317e0aa5f72254761fe47aa6906b3675cf003d07e7dc1543131ee3aff3ce5accef9a6219fb950a6

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
93KB

MD5
0f8efc45245c2d0b28fbbd0a3c5e847d

SHA1
c56f4ee462a44b07757319329c8a161b9808bd92

SHA256
533fd9bcb1238f35a0fe4c55c7b5b849a53852017acbbecbcdbb4dd888ef11c8

SHA512
7d0a673c87722613db681a6c4c4be3b02942c9bf8f1395cda32317f7aa05a70db32d2617188373905eea4625da4af7a634d4cfd2f4c08bce8821f651f899ef50

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
93KB

MD5
8e9a814f23a3514b2d64d4337bb29f7f

SHA1
06f91d9e294e8646902f3d4c699941eec43a2ea9

SHA256
1f3d8df3b858cf6286230b351b521d2d4c222636c29948cb7de669b2abc6cb8a

SHA512
1d37555eecf60d4e3c555c86adc32d3f6ded3671279f89a3d0f5c401bd1b0861d72449a768316741b1ff99ffbde4ffc5c0966a4e01c6ae8f0df155e9690d0b56

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
93KB

MD5
5f65dbb004cbdc7ba784469f769a3b32

SHA1
7673bc038446fbf14ca57cc06f9ddad4de71a3c0

SHA256
46feb83cd9a1018e0757511e5efd66dc256868df2ec99a30106a62a0d518b78b

SHA512
7d7773c9feebb27eaf466466aaf5e0076040381f87c645e77a2d70492fd0c7d4d930666e53c503420124bee04d6a0ceb63649454fe64d378a1af391ecd0bc65f

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
93KB

MD5
fd6ec1a30306793cb8c313d48e99ad48

SHA1
fdc5f2f9908c812403e926b35015044a27fcaa54

SHA256
fc35ea2abbd1a8ac80f8b091e3173b84085f0f257c9ebb196624534c113cb93d

SHA512
b94a9c29e4eaba44e90b4863a1d8b80b3dd11e44fe665f76396b752a8e85ff77814554e731a9af2365677df62130665967a2867d7a63169ceb2f909b8783e588

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
93KB

MD5
9b300b053511983cdd7035713e19c48d

SHA1
42dcbd142267f686cb7d80bc61473020a5232117

SHA256
77679f0fde51aa0df16e348be7ef428746ea2fd7610d60166c5c26e67e6d5001

SHA512
d29b40fa3bc73d357c2702cfb13e8c6a82fe05e78066fd6e4aea73ea37727109b879e5f881e46fbc861926a335d1679fcbf395665bac3b907bfef20c668a2396

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
582eab2a0e655a11f6e3908a3541d9f9

SHA1
7dc3da1ede034ef4d28e49c36637b3e90a9fb2a3

SHA256
d05042390ec33bde2d78ac1ba79983acf65bce0c98cdbb1a0d0735e9ac9abc51

SHA512
37aea3172a6efd1cd60f28c706753aa12412d4cecac0f9ab1abb441bfcef6cca8a899abcd4f765a76f42cd251001ab1d2c6274b3de52a08ff5155cc8e0f40454

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
93KB

MD5
dcb5910e5352e2dc08669e50c82efdd4

SHA1
59b5812831c653e58f410e703dccf9e4a221ba0c

SHA256
dd926a88007174495e4a5f0d2ed15ca76e778b30c4f9f81031d8f279ee016c75

SHA512
34f381104bd239f0fa45b223f1bf94c2f19b2316a6ef633280e244a78130c6a9f9dc4c7524e85bc45278c0802a8a23d5e53c982ea181e9ab298316c586cf636e

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
93KB

MD5
c6bf46bc4af49d2320ba7817bdaf9168

SHA1
0907fc2f621bc3015ac59e353f500bc36c832c07

SHA256
a72a82d128a0754d405318833bf064fbb6e2e59200eb75d11df290c09fb0d314

SHA512
b0cdea4f7f1a61541e448fe4d30be617c9adde6651010ab1d85b36e37db302027cd3a7f879acfcc61774e3cb4ebc0de39b8aa080bf64457566d3612b5bdb8523

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
93KB

MD5
c48abb31b0247e4760c9763655ae9e20

SHA1
0eedd38b59a508e330945319646c995fb839fc78

SHA256
b7197657c72e8ae344db5a95813768b72de909444eaaaae657033f6442a2b3f4

SHA512
7c73965839b380873973b16d44f2175becd6eb4d387f92aca2c1b050dc80165f1e245008546dca72fc0209edeff4cca926af0a189a520054f6aeaf919be4c735

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
93KB

MD5
8742d96163f331c88541aafc6c4c7b77

SHA1
da45ab136c2165625562f45790ef85767ea9209b

SHA256
00bf89b5e4a60ccdfd0fb30348bb0799fc1eec3a7588ee817c410b38544fd29a

SHA512
4e8f6fd684c58dc9a87870c2401e76fa71c6125ea37160e50df6fdb99ba9657ac28b9ad903cf1bb9bd1f05e3626ab87c5357e315b9da4637d6fc042a33dc8442

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
93KB

MD5
8bdf94c276de888a19392545f5605586

SHA1
7d7150623c7060632656abea6116d4cb5c25b9e8

SHA256
66d44d70301cce8055d5894cd8c73449e02bab12210e80f72ffbfce39afc7d5b

SHA512
2c3b0dcbbc299af8f24f0203f1bfa60bde3e28f8e76591f7defe2c25383049243613f1dc75941d5d8627a5e9bc7817866005939bf4a738d8a88095530130377d

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
93KB

MD5
0265f6683222f11e312ee444d1ba2f36

SHA1
187254d73d4c2896d2b40a141d6cb0ce2d733a96

SHA256
18fcd5675c0750074e26eed8ae1a13b1cc92b1feb46f0ddc6cb2beeead4452b5

SHA512
c17bf538dc54709cbb2f8c0a1279bce8fffb609f37019cb46247ff3dc0e76decda6d7a50b499569440d938178313d4a5b8662596b71fb0b6e06fd5353cf9ebc6

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
93KB

MD5
9a1eb4b7a4ebd3812beae0e06d283380

SHA1
14d50445b59faabd69eda0c5480dffc92586de7a

SHA256
c14dd7f892b4f1eb59cb312f8dfd684eb0b3ef7924aabdf2e227b2ab0f149dd8

SHA512
7bc2e5ed7907da215c0364648910702a753450644cd2ce8a616e3c36e229e139f2baa9e1b0a7b25aad9ae343487f7a2b85a8c88d9fddf3efe1eb729557dd6ac6

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
93KB

MD5
290cbc9b893f48b87d353e424a15260f

SHA1
55946864f4903f539fbd7d1b5aa89b16adecbe48

SHA256
6bffe5c412975950e1ed7191c3805e2f88f08312f95d354398c4c7520a8a6a1e

SHA512
b111ae2d1b0f2e67c9ea024de85ca45f2c462dfc9a7aadbd353193ddd5f8cfb6c53aac49745e26e319cff1b7a9af14a378af0641ef749c202bfba8cc9ac0d601

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
93KB

MD5
cd2ff4654659d60a1c5de0515b0883a5

SHA1
8e5b9d65cf5a21923c239eb15a416872e4164a65

SHA256
c85f8a3fc915b2fab626fb07d6b9d2c6b83d071820ca9b3925d537905938fad8

SHA512
0c90086d2e3772828e65f66a01922f4eb756c3b4256ef9437c735a40d61e1d0d604abae6b0d42619af986bf39180e4e2f8fb2137b1b79f70c1b9e53609fd7dba

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
93KB

MD5
1cf8f4113d512c698f178397fb84fc7a

SHA1
f20d6b850663e780f6ae835679cc0c5c300c4d82

SHA256
3b98367c42f78338d089bf52d930e4e98beb7d7bf37691800f4a0c9c146e369f

SHA512
0400e0278ffd871578bca1cb296e4aa98de3c3648176842bb44410f3b129c620f5f33284f932e655ae97a1ef650ad8aeee6f3b48b6fba7d517f5ef8205558e8a

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
e995eae3cdb001b125a8d6e3018153ee

SHA1
d7c82ab8554f570c8c6eb3a554ced8785cbcbea3

SHA256
58ac78f4efe82486ecece188e7edef7fa644851400832c81bc2812c41a0ec015

SHA512
c4b42adc1c942e8418069e42b38f6b9079528d58d14ee35448ab5d030f743774caae172b4decef1ea53e2fca5aa740ee885cdc0c28d728759f6a0d2e12bc1386

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
da1e2a8d02378ecec195d8a3789accfd

SHA1
0bf1d27919d9b764e59e3205603c89b4fa39701e

SHA256
af92aa64e0533e396887c4d4f8943d3fe88bbd476715640fadca1583e4adcb85

SHA512
2c766cc118202bd8c2dd9fb857149238c074c14fbb2b390cdf65ce15aeedc8f40f22559fa9a7bb56eaec0d8b69263e5a605befc8e0d631b910f4e7bf2decf7b9

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
93KB

MD5
5adf0bdff1549d55c88ab19c829a8863

SHA1
a8b4a62a6ae16543441b1512d1ca9a51174a3bc3

SHA256
3f3133665eeda8bfbf24f4929c5f7ee6c024d28add3ae096b3decaf6da2ba6a8

SHA512
7a69c2c166dfefae634e586910ffbe45ab4b6a188461460b9c706d10fc0f4902446c081e11917af36ddb5a607e557cb25c4d74f0643ddad7e0fb723e7c50ceee

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
93KB

MD5
df6a8c3831becabed8c5f7ffe2ff8979

SHA1
0b6f0d5f9441832a5c807919cd8812f179e308eb

SHA256
a836394d12917d34e516495d922a970a03f26e791d6bb4607016527bac8da8c2

SHA512
36419d7445efa8a0d8157480ad8c314882b67e8652ec33f043c3f90b065cc8488474f1d5f6a846badde905c495268a29d593d3d3adbf395e80e75cea8b3ba26c

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
93KB

MD5
317f00c13a3b7ca617f5e41b9dfd5679

SHA1
9f8ed1a9f382fa7f575d043eced9094db1c16e3b

SHA256
bd89e3f941ce8e95a792f8cf88f9ebc713aeb37572564ea1f3d792c3d137f3cd

SHA512
146c9cbe421bd8dc1c1b94e5cc0dda8eda5c892a434362e8c29468fde4b803c8fb12e0d15a17a1e50b80f65653e189da754364013565d453a6d46764d3c990e1

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
93KB

MD5
11c0f847a66ee6eb2f615954a371b9d7

SHA1
0fd6ff701ae8aa6bee7ee58eca270f9e92d9c133

SHA256
3ae7ce78d8e6bef8b961eea3f5deada8fb78231549d862c564839224590e7675

SHA512
23c4d9eb997f2cd9648083ea539a728deaba804f595e67c13239af366b6f1ab532318578b6d4a292817e8c57c14f56406fee68770327aa56d7dcb8c4259bb70e

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
1bff91b5509efe15d37101a5dd2be5b5

SHA1
f2d9495249fc5a91c0319c4c38ce868852878729

SHA256
e223c6bd596b58d53c4a1393bd9466efad9e2646a734ac25c254abcf0dac15bc

SHA512
e60bc48f57809526ce3dbd6b014f2da2660e87e17b4703095eed24c2bb6b7b12c9d3413de55bea780f258221d47bff8baacd9e92e2d91191c9f7bc4b0832f21e

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
93KB

MD5
11aae7affa8616bea7a57633a09c553a

SHA1
107ad0e152e7a1d8a3b4d0e9d51639c6ad1758d2

SHA256
6be878ecf715783d99d222fef7e370cf6c6ce960e479d88117f7ae794bec1f74

SHA512
cd2049c09c5c71cd061a0fc463281dd621ee8b05891041ad2a189e2f9a12162a8e41fefd247cb45d9d0570be9d7d1838b4b36636a263a6b597356ac6b771a1ba

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
93KB

MD5
4ac98fc1f1258d1feb89e3c0c188387f

SHA1
b9057e62a8de2581b1920f18093129bb75e5d52f

SHA256
4e81f57bdb9c00a73381d8e5980d3c1d9c01bffea9fabcb8f39f1a7448e95d7d

SHA512
692a06f830aa1ca294cac0f757dd254844b263920fb50a1153dd5016ae5925e5c615adf5cff7980b10865ba7e007984bdd28751eb4f5684c0faa6efea8b18eb3

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
93KB

MD5
d220e97169adf50cf53191a17fece278

SHA1
e14e14d78f009eea74e8f4bfb3d2ebf159b38267

SHA256
dee1204943521da35ede49a6f3386ba27bec4c5dd9d8ae5ec81908bad2e361d6

SHA512
62fc2db386d9db8fbae0bc2defe3cd9ae4da037ed7424bda2445c36387a4359147e9caf557004b36c42dbb8c35cd069162da43108027bf2d224a44af61cfa245

Download Submit
C:\Windows\SysWOW64\Qqmfpqmc.dll

Filesize
7KB

MD5
c758ae2908adb9351abdb4d61dc9d856

SHA1
34aaa864b5c36563e2d3964fa8216e42f47a2297

SHA256
22ea2ff4ef2746e43fb5fa13ea4f8d2b9e867d65c40997f3dc85abcaff79d4c6

SHA512
59d2f8a11b176f8695d4307a4c5417d79bf4fe261a55ae15ac771277da21981cade7fc7d255d07e1407c28b4281c6190d4dbc45ff5e35c760e1b0b2ad74cec88

Download Submit
\Windows\SysWOW64\Pebpkk32.exe

Filesize
93KB

MD5
9fbb16c7a6456a0e05dbe289121694f1

SHA1
ea3ecef61a334227bb33f6b2b7f7b2c22a969337

SHA256
985577bc11711c30cb59fcad2c15a0975827ff7aa59a199285105ce1b10c8fa1

SHA512
a11b2f9516ce607b7e401fb99b7072420e7b27d872c4704a247ab4007e253832e00656689f2da59d07c24d08d7573b5a34ce30eb203031e022bec66482e9eb23

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
93KB

MD5
143c8313335d9132d165ad7c47e9a124

SHA1
2d7e362b5251401d95eb9ff3efee5597bea960c2

SHA256
1911ab4564d6aaefa86ee7319cec2cf53d3c7477bfb2a731b0a3228cee011dac

SHA512
ccb574a10a865f05b57de988623fdc1142273a045b103c26698f8067d7b0a31d4b764a200986ae584f9320964ede1338e332984d34faf248e3ab8997e9f9784e

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
93KB

MD5
8697f756c295dc79ead9411414cb1a72

SHA1
f016cf645acba0df4b2578ec2a0c7e9948e85e32

SHA256
3c39ac5dd140cbca61ba924c35c0e0d605b319acd1f948a645f94271f499e246

SHA512
5ae0987b8f8600726426207b4574a1bebb8d050967d0e90aafd6f44281adb05baebbb30387c04b623f28aa17e62e46613e3b1627c5076e23f399757a116a2fab

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
93KB

MD5
971d1d716293fd4e9ab15b6f2c80d038

SHA1
2af3b0632b43072ca40f812234e274f1e778f4ce

SHA256
57bd5ef5861421de068a390d1b3f03b172bbb8e01ce04fddac9d62222048e107

SHA512
b10c105b7a1694a524d3f8a37cc33add2e1c271fa95abee45d1805cf42c39c59bc71d3a77debb8bb6d1669ff075ebb3c49a942c9fcc89fdba2a621dbea02b5e5

Download Submit
\Windows\SysWOW64\Piicpk32.exe

Filesize
93KB

MD5
998c46b04237fda1e5182931a7955d0c

SHA1
dd75c4bf202a6046ed7699cd8cee8358a57cfaf7

SHA256
4db4c64b364967d252e23d1ecbac43acfcb0cc9a7823319a240107d48b5e5b67

SHA512
71f6907ddfeadb68e5630a8a8476a886aad389696bacad203a40e71fbd048b0e72afff27375a77ee1ba62c27db06472da4986c711afa901656d8a4186d87ba1b

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
93KB

MD5
99981e747e972acd44181bf9ac6e696d

SHA1
f476b63ce23a06551cf906c051fffc92b200f2ea

SHA256
9aab96aff88dba5896c1b12432370b5358c1c77afbbfbe354a537e546e06e88b

SHA512
b529354f95abe82a8b360ab1b21abf3fb666c659804a6c7ecadb4b628c20b5f2e408f40478d56ac5bca2784a79a83b2b1980bdc0d4767ce6226b1676c6c341cb

Download Submit
\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
93KB

MD5
acb7c26044980429e5e308fafdb0bfa3

SHA1
0e69ca762839381a516bd7a84188969fe43d2db8

SHA256
155c8fc3ff0d2fd6b80be27e8fc1da1479ace7a6cddabe7d664df516894924a7

SHA512
91d90b7020a3193259ce5d85d2c5e715584396efe92daf52078ed629f274afff8c0b8b2263ed56cf9303bfe4f9c938e2881dfa608f0342cb4a7e6e335c40f1e9

Download Submit
\Windows\SysWOW64\Plgolf32.exe

Filesize
93KB

MD5
eeb80e06ae075ebfd622136851ae2dcd

SHA1
38da8d8493058c24b62e0609d16cd3a756cac4ea

SHA256
abd5b4f34257b329eb664689cc5710ec8aaeb41ee79860bbc7137fe2714f1fe2

SHA512
af6bc64219818c859c6e27d13d8530ce34798554074736ccc25b556343bacd26f658d9e5dd7f64752742a6dc5c81b4bf0e60babc7c8dd91562a8cd5e133e602c

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
93KB

MD5
c1acebb35ea3c399f5cd11fd74e6ef09

SHA1
ba7c6f56bd2d3c89796864f0b42c09c2b656442f

SHA256
8ed68f3b717b4dfa1f63ef7046af7ac3b55c9a68648aea4752808fe7ca0e42c9

SHA512
df3fe1a461982a734b38b668d33a388cc93e48f409e00cb1f52dd1c1eb5eb178db7f94502ace262d8e9dbba2bcbaa9e408922d9dcc7330f3387a4e80c3061b0e

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
93KB

MD5
89bfad24416e4533dc934599527f5178

SHA1
2d6e417c4c128154bd0b5477c8f6b1ca9159b12d

SHA256
098024276c6bb2a8eca8759a8781d85598df2f0efa5d050354acdccbf10fac5a

SHA512
bdd888a47f54dffefa966caf05d604e87346280366dbb0d7719e72f2cefbd4cb530cf9ff77dd5ccff7c37182521d87fceb594ebd6eb12b29f071380e6004dab3

Download Submit
\Windows\SysWOW64\Ppnnai32.exe

Filesize
93KB

MD5
58da7beb3f7f05ef3dbe86a69d01a177

SHA1
7dea7ae45bd482d71ecdad1fc99074e00ae0151d

SHA256
a4600699cc3babeedb6842677c8106cc49962f5b2c0c5ae5ac5656c06afbce00

SHA512
b9270f718f23ae0cc8314f05ad69850119b56d793377ab5ee73d77c7eeb59bb9158c674f354285c3735d714718a0d4f9a20462819b48a619bfc4e115c9e64295

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
93KB

MD5
a655fbfb49f2de850de5047fb2cf9ee5

SHA1
f1c6ab2fde6d692c8f1fc4b668a185502d4db837

SHA256
390bd683a425548c5e3b542b9dbc9228595e0c8823fcdede8d9be36589d802d2

SHA512
ab7d8576db31079c022f7e4ed611cb2f39b356a5d36a117a1d5115a8e288137326c8397d34e5a231c003338009e80b6eeabb3b99baff96b198f66f0e32f65889

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
93KB

MD5
55868027fadcc443af9a356f8efaee4a

SHA1
c7d25a7d6b4587afeb54005d94e8d2249e298dcc

SHA256
80b59b522e7c50f22f492f5db2285393cad1df7ce82ce0f44f9a935337fee859

SHA512
901ca8866b418c99169a6837d218ad6322743e9e3b2405632d62f7f95ad7b711129744bfde84ddc295fb4cd633d2f92b59cf6dd9ecb908895f10d3b67593f276

Download Submit
memory/548-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/548-11-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/548-350-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/548-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/564-481-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/564-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/568-293-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/568-294-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/568-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/672-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/704-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/708-483-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/852-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/852-430-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/852-432-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/896-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/896-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/896-141-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1016-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-219-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/1132-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-283-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1160-492-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1164-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-420-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1248-419-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1328-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1328-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1328-114-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1552-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-272-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1552-273-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1668-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-404-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1696-315-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1696-316-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1696-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1728-251-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1728-250-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1728-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-88-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1748-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-93-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1764-482-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1764-172-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1764-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1840-396-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1840-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-232-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/1924-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-502-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2056-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-327-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2156-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-326-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2160-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-261-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2448-262-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2448-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-511-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-369-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2564-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-60-0x0000000000340000-0x000000000037F000-memory.dmp

Filesize
252KB

Download
memory/2636-397-0x0000000000340000-0x000000000037F000-memory.dmp

Filesize
252KB

Download
memory/2636-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-51-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2660-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-33-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2728-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-338-0x0000000000380000-0x00000000003BF000-memory.dmp

Filesize
252KB

Download
memory/2740-337-0x0000000000380000-0x00000000003BF000-memory.dmp

Filesize
252KB

Download
memory/2808-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2820-348-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2820-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-361-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2840-362-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2840-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3000-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3000-385-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3000-380-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3068-306-0x0000000001F80000-0x0000000001FBF000-memory.dmp

Filesize
252KB

Download
memory/3068-304-0x0000000001F80000-0x0000000001FBF000-memory.dmp

Filesize
252KB

Download
memory/3068-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads