berbew | 0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
Size

97KB
MD5

adee55f7e57d387c2f83bccb378b88f2
SHA1

21c93ee06cd281a94a12faf49b4ea5c4189a857b
SHA256

0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286
SHA512

fae886f1bc4e6b278e19f384187102e6af3705f04e830c97632dff2446ce5f81b0a90394acf06e199c9621cba01ad71c31875c7d060c35537f1f8bd3ebb30024
SSDEEP

1536:KLDqzctHWTTajL5EdGf+mXUwXfzwE57pvJXeYZ6:Knoyz7Pzwm7pJXeK6

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 55 IoCs

pid	Process
2888	Pokieo32.exe
1996	Pfdabino.exe
2648	Pmojocel.exe
2096	Pcibkm32.exe
1268	Pjbjhgde.exe
572	Pmagdbci.exe
2100	Pbnoliap.exe
2936	Pmccjbaf.exe
2604	Pndpajgd.exe
2916	Qflhbhgg.exe
2252	Qgmdjp32.exe
2156	Qngmgjeb.exe
1772	Qqeicede.exe
2476	Qgoapp32.exe
2188	Abeemhkh.exe
2492	Aecaidjl.exe
3064	Akmjfn32.exe
1616	Anlfbi32.exe
1044	Aeenochi.exe
1864	Agdjkogm.exe
764	Ajbggjfq.exe
680	Amqccfed.exe
2552	Aaloddnn.exe
848	Afiglkle.exe
2524	Ajecmj32.exe
2992	Aaolidlk.exe
2820	Acmhepko.exe
2172	Afkdakjb.exe
1156	Amelne32.exe
1736	Afnagk32.exe
1512	Aeqabgoj.exe
2408	Bmhideol.exe
2828	Bnielm32.exe
2832	Becnhgmg.exe
2920	Bphbeplm.exe
2044	Bbgnak32.exe
1328	Beejng32.exe
2504	Bhdgjb32.exe
2436	Balkchpi.exe
1316	Bdkgocpm.exe
1640	Blaopqpo.exe
2468	Bejdiffp.exe
1760	Bhhpeafc.exe
1348	Bkglameg.exe
932	Cpceidcn.exe
2964	Cfnmfn32.exe
2696	Ckiigmcd.exe
1628	Cmgechbh.exe
2640	Cpfaocal.exe
2620	Cdanpb32.exe
1632	Cklfll32.exe
632	Cinfhigl.exe
2360	Clmbddgp.exe
2456	Cbgjqo32.exe
1868	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2852	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
2852	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
2888	Pokieo32.exe
2888	Pokieo32.exe
1996	Pfdabino.exe
1996	Pfdabino.exe
2648	Pmojocel.exe
2648	Pmojocel.exe
2096	Pcibkm32.exe
2096	Pcibkm32.exe
1268	Pjbjhgde.exe
1268	Pjbjhgde.exe
572	Pmagdbci.exe
572	Pmagdbci.exe
2100	Pbnoliap.exe
2100	Pbnoliap.exe
2936	Pmccjbaf.exe
2936	Pmccjbaf.exe
2604	Pndpajgd.exe
2604	Pndpajgd.exe
2916	Qflhbhgg.exe
2916	Qflhbhgg.exe
2252	Qgmdjp32.exe
2252	Qgmdjp32.exe
2156	Qngmgjeb.exe
2156	Qngmgjeb.exe
1772	Qqeicede.exe
1772	Qqeicede.exe
2476	Qgoapp32.exe
2476	Qgoapp32.exe
2188	Abeemhkh.exe
2188	Abeemhkh.exe
2492	Aecaidjl.exe
2492	Aecaidjl.exe
3064	Akmjfn32.exe
3064	Akmjfn32.exe
1616	Anlfbi32.exe
1616	Anlfbi32.exe
1044	Aeenochi.exe
1044	Aeenochi.exe
1864	Agdjkogm.exe
1864	Agdjkogm.exe
764	Ajbggjfq.exe
764	Ajbggjfq.exe
680	Amqccfed.exe
680	Amqccfed.exe
2552	Aaloddnn.exe
2552	Aaloddnn.exe
848	Afiglkle.exe
848	Afiglkle.exe
2524	Ajecmj32.exe
2524	Ajecmj32.exe
2992	Aaolidlk.exe
2992	Aaolidlk.exe
2820	Acmhepko.exe
2820	Acmhepko.exe
2172	Afkdakjb.exe
2172	Afkdakjb.exe
1156	Amelne32.exe
1156	Amelne32.exe
1736	Afnagk32.exe
1736	Afnagk32.exe
1512	Aeqabgoj.exe
1512	Aeqabgoj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Cdanpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pmojocel.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Pmagdbci.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Lhnnjk32.dll	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Clmbddgp.exe	Cinfhigl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	1868	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2888	2852	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe	30
PID 2852 wrote to memory of 2888	2852	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe	30
PID 2852 wrote to memory of 2888	2852	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe	30
PID 2852 wrote to memory of 2888	2852	0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe	30
PID 2888 wrote to memory of 1996	2888	Pokieo32.exe	31
PID 2888 wrote to memory of 1996	2888	Pokieo32.exe	31
PID 2888 wrote to memory of 1996	2888	Pokieo32.exe	31
PID 2888 wrote to memory of 1996	2888	Pokieo32.exe	31
PID 1996 wrote to memory of 2648	1996	Pfdabino.exe	32
PID 1996 wrote to memory of 2648	1996	Pfdabino.exe	32
PID 1996 wrote to memory of 2648	1996	Pfdabino.exe	32
PID 1996 wrote to memory of 2648	1996	Pfdabino.exe	32
PID 2648 wrote to memory of 2096	2648	Pmojocel.exe	33
PID 2648 wrote to memory of 2096	2648	Pmojocel.exe	33
PID 2648 wrote to memory of 2096	2648	Pmojocel.exe	33
PID 2648 wrote to memory of 2096	2648	Pmojocel.exe	33
PID 2096 wrote to memory of 1268	2096	Pcibkm32.exe	34
PID 2096 wrote to memory of 1268	2096	Pcibkm32.exe	34
PID 2096 wrote to memory of 1268	2096	Pcibkm32.exe	34
PID 2096 wrote to memory of 1268	2096	Pcibkm32.exe	34
PID 1268 wrote to memory of 572	1268	Pjbjhgde.exe	35
PID 1268 wrote to memory of 572	1268	Pjbjhgde.exe	35
PID 1268 wrote to memory of 572	1268	Pjbjhgde.exe	35
PID 1268 wrote to memory of 572	1268	Pjbjhgde.exe	35
PID 572 wrote to memory of 2100	572	Pmagdbci.exe	36
PID 572 wrote to memory of 2100	572	Pmagdbci.exe	36
PID 572 wrote to memory of 2100	572	Pmagdbci.exe	36
PID 572 wrote to memory of 2100	572	Pmagdbci.exe	36
PID 2100 wrote to memory of 2936	2100	Pbnoliap.exe	37
PID 2100 wrote to memory of 2936	2100	Pbnoliap.exe	37
PID 2100 wrote to memory of 2936	2100	Pbnoliap.exe	37
PID 2100 wrote to memory of 2936	2100	Pbnoliap.exe	37
PID 2936 wrote to memory of 2604	2936	Pmccjbaf.exe	38
PID 2936 wrote to memory of 2604	2936	Pmccjbaf.exe	38
PID 2936 wrote to memory of 2604	2936	Pmccjbaf.exe	38
PID 2936 wrote to memory of 2604	2936	Pmccjbaf.exe	38
PID 2604 wrote to memory of 2916	2604	Pndpajgd.exe	39
PID 2604 wrote to memory of 2916	2604	Pndpajgd.exe	39
PID 2604 wrote to memory of 2916	2604	Pndpajgd.exe	39
PID 2604 wrote to memory of 2916	2604	Pndpajgd.exe	39
PID 2916 wrote to memory of 2252	2916	Qflhbhgg.exe	40
PID 2916 wrote to memory of 2252	2916	Qflhbhgg.exe	40
PID 2916 wrote to memory of 2252	2916	Qflhbhgg.exe	40
PID 2916 wrote to memory of 2252	2916	Qflhbhgg.exe	40
PID 2252 wrote to memory of 2156	2252	Qgmdjp32.exe	41
PID 2252 wrote to memory of 2156	2252	Qgmdjp32.exe	41
PID 2252 wrote to memory of 2156	2252	Qgmdjp32.exe	41
PID 2252 wrote to memory of 2156	2252	Qgmdjp32.exe	41
PID 2156 wrote to memory of 1772	2156	Qngmgjeb.exe	42
PID 2156 wrote to memory of 1772	2156	Qngmgjeb.exe	42
PID 2156 wrote to memory of 1772	2156	Qngmgjeb.exe	42
PID 2156 wrote to memory of 1772	2156	Qngmgjeb.exe	42
PID 1772 wrote to memory of 2476	1772	Qqeicede.exe	43
PID 1772 wrote to memory of 2476	1772	Qqeicede.exe	43
PID 1772 wrote to memory of 2476	1772	Qqeicede.exe	43
PID 1772 wrote to memory of 2476	1772	Qqeicede.exe	43
PID 2476 wrote to memory of 2188	2476	Qgoapp32.exe	44
PID 2476 wrote to memory of 2188	2476	Qgoapp32.exe	44
PID 2476 wrote to memory of 2188	2476	Qgoapp32.exe	44
PID 2476 wrote to memory of 2188	2476	Qgoapp32.exe	44
PID 2188 wrote to memory of 2492	2188	Abeemhkh.exe	45
PID 2188 wrote to memory of 2492	2188	Abeemhkh.exe	45
PID 2188 wrote to memory of 2492	2188	Abeemhkh.exe	45
PID 2188 wrote to memory of 2492	2188	Abeemhkh.exe	45

C:\Users\Admin\AppData\Local\Temp\0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe
"C:\Users\Admin\AppData\Local\Temp\0475ae510ce4d6d3817df9ccda06dc869f87cd9a466592b0483fa2b3a8c28286.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Pokieo32.exe
  C:\Windows\system32\Pokieo32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Pfdabino.exe
    C:\Windows\system32\Pfdabino.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\Pmojocel.exe
      C:\Windows\system32\Pmojocel.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 140
        57⤵
        Program crash
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
97KB

MD5
24dfe99b7722319838b79f96c09f4fe7

SHA1
544683b17326c6b94f02f1a5566c91f4619af15b

SHA256
29060eae1a75f3464609be62a795c715523c174dc0f2121e4aef5cafea98ee81

SHA512
72b1d1da0fc626048d2b3283ab49aaa1dd586f1ca2500f2ba91764e68b33a748fbb866c20c22e3046638492ee7013f696f048e0f1303031688cc2a8c8f58ea6c

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
97KB

MD5
0d123523db0b81d3f3c7f3d15fbef2ee

SHA1
0ae64842514079f0482655c45b37b439c02bc933

SHA256
5a623cccacc5abba570a42798be6aa355d1d43eb853a7290a7bbf47e31a9915c

SHA512
6f7e9208c14ef1d747eebc0d187f20bc360658e2befab43bde2f6b64a093b869211c7e4119b98966286e92a0a5275226f8568bf4d0dd323eb27a0455f3eff317

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
97KB

MD5
bf36aed42f549c414bd1ee5af1f925db

SHA1
4600d787eb35c332d00f23bb65ee2e40f8683de5

SHA256
c73b6e2ed5d795e6e994b46dd8d50e12aec8f44983140f6d1a7c881d9e63e343

SHA512
1f72410ff4454413321357a43315fb5167946fc7eb4090b5f808416ae767f994442dec3e34f36d251e1b195115c5b30d4c26a1e3db97ac6fa53122aa8e82167e

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
97KB

MD5
329a2e9ca3f4c0802a39dbdbdb67114b

SHA1
beab6a35d17db9b952967df860bc4c8b364cdfdc

SHA256
797808ca0dff5043f389194f127d12edb036394b898b046b39d3d259e8b2491b

SHA512
9b4420c9d13202877c21b0147bcf4006a4ae43f0658f4c366b04f832630b0c1e0a1ef66adf61b0e1a3d30bb1843b2bf59e35423d6f8c1a80dc3dfa01d7e35205

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
97KB

MD5
3a1776ac8864525ec93bc99f5a368aa1

SHA1
2de45c220a70350c133d9fb820f9c8911db85ad0

SHA256
9f0e76c091d002e4ad46db85d865054258ffa4ab5f4591fa2baa500f0bf7463d

SHA512
c06f87d0bdcd75e7aaca29b759c9ae979cd6d4d5259ccdeb195864a0785ee2485c721fdd8cf7a60b60078ccc708f9aacf001d3a6b66c4dd6df0905c807d2f0ca

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
97KB

MD5
cc1da82ab9b5abc21d3f0397a64d45e1

SHA1
ece2e59c7bac9579c1abb94dda90f1e02ad8a585

SHA256
de36631b5d7c9b7f9b70be1c00df923b4a545616ab9f3b320d90c912baa3771a

SHA512
c4fa28c6469d1593599f6df26da94f4ed2a03b56bde7550019c217bb71e86d3f813082eac01273f00e834fb0f441349996f8bbcc41e92a1027ea3e7909e64ab9

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
97KB

MD5
4c91e6770e31fbd2b9a4ebdb5beab2eb

SHA1
4f97f6a3d8fc6e3608d30616c7fd7b0643f14d40

SHA256
e9bde77d179b4dd9d6a27ce47017b94e87524f7d57df95055a662140723319c1

SHA512
221a6e13e9437fcfc16c80caec479bf3d89b800411f021a2bc378d54a43880e782a6d6accdf9ce9235ba6d9c88c21487bdab9500ea0ba6ebf2c2c6f2afc3f077

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
97KB

MD5
bfbd614c2e71941f796b74fc3653be9e

SHA1
e1d1c9296574b9f7c892bc979631e6ae173b001b

SHA256
294baaae811e35368a4798c0a5188d8df1996edca7638df83187f5affb544e3a

SHA512
2a407310fd6547b3e3c7c7d79af5edcfdcf4cc41e1d58513fa47bc6152afa3f1ac9a6751810be83a764e8737bfa116a19855bc5b1b85597e11b360d4b52d5f3d

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
97KB

MD5
d9625746608955220a77518d51377b4b

SHA1
51a40d21a49769773de579bd7d024169987e488d

SHA256
a855d152bf36473772e23912b99677430465b1abad82ccd71a10d220eae5bcb6

SHA512
6bff5cba00b080852ebe269de2db005247a51bfcd5dec9e405b6adb3082371aef666785e927e097c1f5d0ff4ade5252019a137bdbce7a2a00dab87e39a513f52

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
97KB

MD5
92e9115c7d5d710d3832af241273f86f

SHA1
5fc8eeecd92a68cec4c7ffe9332363e97c3b82f7

SHA256
2cd41384511156096ff89046c31f1d1b861ce835820a8522224c8d5aa6ff3ac9

SHA512
2286a52c897aafd2f0c1478110c6ef75d14813b4f93d3173d8cb6d2256aba2df16f9cbd6f944367d7d41dae2070a44c505fc86917a63be0b2e32b45366e98cef

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
97KB

MD5
5a1f9b51024553493b7a8da00f96c97f

SHA1
6fcdf01270269d84972e621af1420688d42c051f

SHA256
2be37e42618b008cf76e0da81b649c441870ad9c0625c6caa8f520066e12cf00

SHA512
f641132847ee675361ea510486b71c74de59602bacc015d21bc47d54aa0b9b61d59c20487902f98192bbaf4e811d8938b7bc99db207f7bbd1ccb49e612edfacf

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
97KB

MD5
d060c14e4ab4ac31d36eb27430394e29

SHA1
42a2b8edf528cab8efbdde85f8aa8f8e6a4da02c

SHA256
83a04a0593f3926a3d19855e20c928a9f0887be0d7338792dee6d28df8ea5163

SHA512
2607b8e22a23d24462d423bea4a076ef3216484b7ef048249d24e86e4ada5b6dcd18f2311c49292a24f2fc92fe574c4b8ce4fba9d94a6c4bce81d8b507cd8390

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
97KB

MD5
db907b84117a965d02943e17a4640b27

SHA1
81a8f623a781fa5b23ef09542dbc3a5d85967b4b

SHA256
983488930455cd732cf3d83ec78e352b7129177523431f55e489595a6f79ba3a

SHA512
457b4e502914ecd75e00504a463ad65da3a0b0d03bceeee67a22763873d131ebb4133a1c5c440ad9068a0868722bb51b8bb0b34fc5b441766b437af91bfd9057

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
97KB

MD5
7623c9e6353a8e2d1e6e575470d041a1

SHA1
c5ccfc57a26bea021f297e9881ec128f181fc3f5

SHA256
cef9a4803b50d53cead8624732859e9af3ccc091cd04e12f8ac845d1be3f2afa

SHA512
db6dc61b3490b1b2c61a45057f013e19ef0353d251621025584cfeab632ca05d6465dc08a8f7a3cbadc0e989e17853e0409e6cb0674628a3779c4b4a2fa7785c

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
97KB

MD5
21d9a453b848355e1ee292b9b57049c4

SHA1
c3b70a70d2e1f5655991ddc550a79913e4ffd959

SHA256
ea835b2569bd608df870584bdf101bef323ec4f353b7c3df06f8e77136cc5721

SHA512
37966fd289d94290efe60b5cd534d5ff153f7abdadcc0b9abcbf3ea1e38c5515be07b7adb7e51495a37334f668c64d18ba40dab98656f4ebca4cce808572ce41

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
97KB

MD5
c1c3976ac9f68ab17123aeca33560fd9

SHA1
6e40ac3a3dcc168e6f39a88c11993fe3c2efb166

SHA256
7e4495f103a65570aa5456c739c1e03058d7eb8b3ce3e0bbb14d41c13cafd22a

SHA512
61ed2d1872b455f1b1d813f3e2c52a6dcd0bfb552d497ad957c71a268ea9ef733d9e8c72c436bea97d6fae8c4e7ffd727fc29092101404e3051c9e457a63e769

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
97KB

MD5
e2a7711534cd15eb21052898147bee87

SHA1
67d8feb338e1e93ea3a0c9e2e646ab7ddd917361

SHA256
f35804c5866add883312387486eff4a7d21148011c7556286b757fd34da8ed71

SHA512
917dbe6c40c2635e458089a35e5e9c4f6427dda698c911663710bc833a34767b57c36ff1cdfccbbfea9554bfc64c4ac486bc425b4be6414d7e1286e1946ec164

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
97KB

MD5
483e8e0e37c0de43a5d0d97ab398b2b5

SHA1
946dd1a8421fe9e709b41d536b4a06a2c2900b5e

SHA256
c45bdfdbfb751b1a849356727debd54f753789d7530782de3f24350b98a23c4e

SHA512
1643aa24c2548e5dd0c774e6679a44839afc58fe07af6eb69a81dad37aa3d6facce13da91a0d65303b0b6c286c5ef70c1084697c9646e72d540e7bf3ef4d9c94

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
97KB

MD5
8d875fee80148572708d73121891768f

SHA1
521f1e18414b8014a7273f680bf11781ff57d2b5

SHA256
bb1f83e55a20401cde90f25da9099285e3479d6bc8a0dcc1075291633a8e5831

SHA512
4cc9c3b6b790c9b5f59ad1bbffba5cc2fba5a42c4069b19cdd5b533ab74f5b4d3a6975fb6c12022c8e2140244e8d3b6f66d10c20307b8c0386f5f8813ed14dce

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
97KB

MD5
9887c1f539b24d26bb0aa6a59f7b54ae

SHA1
30071755f4c4ca71c04c81a561106131b0caa00b

SHA256
b6f7218b0cc5fcd107f24c68a6ba72d5fb183964afb6c708bf8c3d1ccc49eed5

SHA512
eef7f967f12a5f2ada70dbde9cbbfb862af21d0c685af58f7670434c3b343abdc3aaa804d9ee4db4a828f7a9cc0382ad44fa7a80c5adc9a84c6f609a89a6a2f2

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
97KB

MD5
d01eeecc4018a35eea35d6191156fcf6

SHA1
c735872d7b5b5e23f2d410612c464f22d61f04c6

SHA256
3fdf44c85229d8a0fdef4455c164ea6f2ddb40c0fba796266fb4da7661b1db63

SHA512
dd17281791e16d00fbe377d0fdd91309463c5571d09fb2497ea18eccc4f967513468168bd1dd8ad63856a439ed7901ccda273f135ad227c569851c0f1128bce7

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
97KB

MD5
5b8be3cc0a25d6fa7a94c7dc4f658547

SHA1
d79614394f29c3195c476f918fa10408dbfcbb00

SHA256
a1da393e0f6bd1152872bd9759261a88ee8acb5573804774e72cf2fb9254656f

SHA512
e0085e8299e28a0e66aebeabb7d8dd8ffd2f13d29aebb94188b2d4ff2ce5c5252fdae2739e8faa768af039482fa4eade6747cea196e8e03c2beb46b69a2f7671

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
97KB

MD5
b139a081daddb7cd820d8ea5d9e610f2

SHA1
b12fa436b73774851ee3d9320ccc6bd5ae747244

SHA256
19d5b6058e0e2d2be7e0e8624f59b1e24e09c75d53fd90c46a13c2d151e5cbe0

SHA512
3bab03196499a59c1a8d4cfa6477f1576c371438c24f5c0ebf0f73da21f3525e26dc77c82145f617c14dd4c0157fc0db17c3cf704837b193cfb704c1cc07342d

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
97KB

MD5
a05494469b9661686450e52097205b2a

SHA1
1d25c861fa4cce37848a42516e27127853ef7b98

SHA256
7cba5e55330e6d1141452a85a59cbe05d655bad213a0d352499343c328cdff73

SHA512
7633b90446d07f72265f53c8753cc2e2cdf65ef84ee997ab8981b162770d5ab894fe5463abbc7089c4270d79f4841e13d09184638da906553b5f2638914d02f8

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
97KB

MD5
9b33454cbd959151f32f3a13388cd965

SHA1
a22ca9fba6f093559be4e8954e2b258d78f727de

SHA256
20153545f5c2abe59b0d7857604678e89aa5e150cb14ed78bf898994b8d0a978

SHA512
e7692a257832763aa8099ca207511a4410969eeb87a76c33c6416807ee072d31bfc4b2436dac0a6a7a8ea96c8256ca4b67406ada877f5f2607f220bf20bdb1e5

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
97KB

MD5
60e1e73ab346ff1b62eb8719472e5cb7

SHA1
09fd4afa34986f7234a1d6eed9aeac1474ddb1df

SHA256
672c9306365826c20fc9fe90f17253ccb682c18abf3f516f0164b0966974a689

SHA512
529b5eec99f232e42ba9a1a480e2969c5b08f663ee8462cdfe429d0abd9e66d5ea3da58f82f9141cc23ca01c998c8b066dc002506ed0196e5bf1b1a3f404aec0

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
97KB

MD5
e1731d115153c8423a8b2deeed2ec10a

SHA1
74fd5de31498cdf8c5c2c0c33ac4cba543d0f2ee

SHA256
6963d24c9e7db708b6bd166feb420223b1adfc2ea6b59be424fb9bc2be032cc4

SHA512
944a05197abbf7f30a3e5de34e31c0220085460ef58dd894827ac003a89efb582cdf982a470a73bd175d4e2530a6c547c1789702544fc2bbb162c06765cb53f4

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
97KB

MD5
0dde39d95e19eea00c39bf1da6514490

SHA1
ae9cdd081d44ae2f5ad8437de31704eba80c6f89

SHA256
3c95132ced6442bcf3d3253dd27a311ab1a14de242f80f9c6801588eec36c4d6

SHA512
4fccf77129bccbfc68af80425ead0df3c49714f4559a9c8e69a521b830f9a2ce171baf99a074d6bb809564a6be770f3d67d1e193ecbc01e454ed2e38bd0a759b

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
97KB

MD5
886b475f0ccf265bb2561a2baafeaf62

SHA1
8bed3def1a77d415d2c875e106110756a7eaf134

SHA256
7ac0a417b30ca96f07ff0facfc628f4ff5a0a691ddbb05b2f1f9097ca04ed13e

SHA512
08909c0ef233767d8890c43538802f113041c56f7aefc40177c9a2045f44d68306c1ed9198f063f8c26ed369e010baf14a98a88d5821ca1470ca27a6c26cc92f

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
97KB

MD5
ebff10e978ecb8df0d324d6073af4a44

SHA1
1f550bfa3cc047db531c285d420eb4cca67263c5

SHA256
1e5a20588a985a1a16f2490ce938336875d755f22dc8e0213a0fa75a0135c74d

SHA512
799e193fe3aaeaa83f05d1620ffceb66fa03da9072fb5e9aca3f11734153b1a589ada9ca83db0a24b8de5c0d0211a47d96ddf2cc9d8ede55d205d1678b082466

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
97KB

MD5
6acf83705a7d9f8ffe1f507a73644911

SHA1
b827e21903ea2a05b26278889be4965948549198

SHA256
cd83a72598429cbd87e8b5a3c5545672707ee184f2a2988d3c75982d0d74bad7

SHA512
8e6307f172c9321dedc9a934c87c28d096467c34e6f7fdacfc32a2f78b22ab19a077992d81ff21232990a75a01a6736f9a0c9cc25f02ef67dee6b076a2c89070

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
97KB

MD5
e933281e715faa09cd43c8a29ee0a0ea

SHA1
52dced0f237983d2a7e9447cfff61ae2c27f4b34

SHA256
70517ae7313875fb51fb53df03d92d14e302643140e927feb5b2f85b28d87b47

SHA512
7999779b1aa03900c6d4d5c669cbf1c30c93f5e85462b9ad9dc522d11b8256feaa3e31f11725e311aac89da81794c1ac13893670a8e7fdf3dfef711e13f375fe

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
97KB

MD5
bf10147da5da639a79df5c2a34c27d45

SHA1
b4e1a81047c7302dd5d7a5a8f59f756ddd1746e0

SHA256
c657152a8a5636706871d4edf724214f9d298ceef810f3276d904754bae70861

SHA512
78330a89464941baf9db065f197b91b1a5c89597ccea2e446d7865ccaad31f1adb30287e995dbc205355518cec02c6784fde527311f17207882279aba97199ad

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
97KB

MD5
0c9653f4176f3fa19351155cc0c942bc

SHA1
94fc42270ced25f76f8280b70604eee6d01a7da4

SHA256
0c1788d9137e0ace68d68b123f539767b43e1a461621019333642418f6ddb146

SHA512
33a956d281e95649b8a8855b19a4949a79a39df0862fad2895f9f5a733b5720f40f07d737ac6ad4cb82657ac9da8b263d29ef3f712ba4e2d75e2c78687ae3db9

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
97KB

MD5
ccf2a6ff117a40c0bcf07acdfdf99a39

SHA1
c1ab2b11865950e43cfdb953e8ef53dcf14ff9da

SHA256
4d0241ae84da9b6bc2ced2a0d86d49133788b9e0fbe360ba6bb42729e50d4025

SHA512
4e700fafb97e9279e912fa1721ef86904f25caa7152e8de9d74c54556b58911741ed59530c1ce64715ea2ddc415dee8612eac368c55bbc3d01c6b745aaa7e3d0

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
97KB

MD5
85406f2069412cd0a309e40107cc0a4b

SHA1
5ae94a42abc05f560aab9aa30b417ed8f39167e5

SHA256
a89219542a241b2340f1bd5e797b7102cad97f9c2ee2d6273faba01833dc3828

SHA512
8dd2d5e3d47e0914ce56c3b446c593d468c076e76fee70e88aae01b966e6ddfafd275ec5dcaef08726e568d72586a750028e12bbc990a9e3c80a7b448ffd72f0

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
97KB

MD5
60731da38a88f987ccf0ddb40201b8a1

SHA1
304d919500a429e37f89b960cbb24062f891e969

SHA256
d7fa5fc34d1a8167c2025d8a1f4f1d53f9d44d8999f39aff41b9e41273281c8e

SHA512
22affe1405a24c22136c2680cfe8218d4566dddb172636ca98c6c49753591f5b862fc00c4e61f94cfbb22868b6051611815e1c1c935625577f9508c438461401

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
97KB

MD5
c5cf50997b5cf539cbc68addb4005790

SHA1
090771850321c7767f0aac5057bd888847799b97

SHA256
d92e6c0eef2a41c83c1d6db75f2195c65e54fc65ffb1f7d7bddc9979c2cfd6fc

SHA512
40bf3c0042b0fd5306dbde26a11fd556edeba6c326b4d2aa846067fde1c7f29214a92f7973f0ed5179f4f347aa1319216c318488322302d10372dcb0d84be324

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
97KB

MD5
454dda74347da54abe06a0af9fba9bcc

SHA1
c0d52c320db498245f4b0617be4c359efd812db0

SHA256
d12ba4469ee7e486052bd31c0d6d53556c3a968ca3f9b82e0d3f2f5858b6da9b

SHA512
b3abb0afca694a620c0ed58a5d5d590537d0c04899e288ff780970bded951454488cec2442dec71e1b796c72ff58a81ec43a01f799d1ec6ab54a867afe71da46

Download Submit
C:\Windows\SysWOW64\Pfdabino.exe

Filesize
97KB

MD5
0ac874ff22380f7494fb6dcee21a9386

SHA1
a1cb14217dd89ec656cedb0510b81d9816dd793e

SHA256
7eadd59f9060b8a451f231888c3a93c20004d9bc72216a7aca118cd8c206fd00

SHA512
0b7a1fcdea4b7094b3ddb9e07aa72bbbd2f677f47c042549618bdfb2130f9d7f111a839237b5fd6b2d8bc46918e027744061d09749fa7c1544cf03cc6f4873a0

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
97KB

MD5
73e95ee28cb0efaa89657a3b07eff9bb

SHA1
31bd23b8143713121ec66f211c2ce336a0fc8a97

SHA256
e4dd31be14be366eec0569ddbdbc101384c43a72c911b7c067cbd3a6f2ff3ab6

SHA512
10b4d6297ca19a582d951a6ba063f5f5b2ca02b2d2d1b560aa574b87381fbbe4e6992bdc5a6a145c5e3469f7e78fd724371df876fd30858b8d437ca64daa3fd0

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
97KB

MD5
a2c7f93fb3f9493e3daadbcb049f5c4e

SHA1
569f1cda0732cf87df4979e006a28f5943b69d7e

SHA256
9d38c3101e3d7c8153c2639c30688fd32fc9edf35c62bcf9b4f3b2a7c0118d43

SHA512
5661fb0e20c273e0a71823cbd6aba40d678b0d9755578fdde9705cd2e2644558048409e1225569428e75b4298cba3a496000b693e370567269edee2bc7836050

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
97KB

MD5
58d655e70f4b80a4c52cf2eb2e30e869

SHA1
b6c7a69ecbd455598d2ba7817d4ffb8be4f13232

SHA256
40e193781f05af1fe520959f059153eab998daf93b348e8d974cebef843bb655

SHA512
9780c0025bd4a59c27583607d7983261bde7acdc8230b5476a7746a4a25e92ce48eb771b1f063ecc7d99c79f2786046a4a785e0f9608ae8e4140db49e5a3e848

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
97KB

MD5
67d6cf289c1064755b91d0cd8b460ac3

SHA1
4e4c51d56590365a1ca415fa47787dbddcb98b21

SHA256
e547e965d430f98bdfbd5b7a5f0489bbf62234049622726c18713bf4ca7398f1

SHA512
98608d2e51106bbe85a4dc6e82dfecde5784503e11922ccd090bf5ec71d062b859ff655bf1bfeccf87e7fed3c95f94b3798bb56efbaa5ff0785df0d0e01780bc

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
97KB

MD5
fb0dd4d98fe10130ec4266e9183516d4

SHA1
fdfae453f30d93fffea02d735d0308c4fe31ef1b

SHA256
5c680f832492a60e8f7095d80045ad093c71795e0b6752fea63c19fe84dea6ec

SHA512
c651c76cf2f02e73737722dcdc59b17aa37d47e66ffcae676cbf75b72de29fe1d02fee40ea376eb2936ba49090a871b5a7aeb5e7045b46821fa72314d5ef0c6e

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
97KB

MD5
99536d526e28adfd635a7af396b61020

SHA1
0616f4b47860eb09f7a6dae8f776269eff860539

SHA256
696a76ad961bb8eff54e2185565de11ac8ebe9729df1c17597dabe53a0cbecab

SHA512
87b684fbdda08a3e7896f7d79ee88ca96289a8eba199a3b63527b0efd78b09a19f8fa9b74a0c132fe90c3bd3cdbe4caedc646d80e5ded914f44a3627acc45f3d

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
97KB

MD5
c614a1e797dbabf1c4f6dab9d4e92032

SHA1
caf8de862b3886124287a13cd6475d848f998fed

SHA256
b1e81a4a076ecfcb1f5d2276174d241e1a928def493c48d76c81547db3cd3a2f

SHA512
51a37edaaf1fe0edb5f49e459b64d7c539db83216f73d6f94f2d21fab1ee868ef58c4344aeaabb81454eaf5b94b849dcae31803b6fe61e77c4325061dfaa2aa0

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
97KB

MD5
f9f0a77dc1484f6cb8b55d4a631fcd4d

SHA1
1c35699aad9654031e489309e4dfbcfcc19aef7a

SHA256
4e5afeb2baa1eef2748102e6ae1d18c40163e3224c1955530cbc187fddf638c3

SHA512
7729da1d285e243256e0b2ac980ebbc239cfe340a88cd63720aa8ceb0959154e3fef703efac09939dc72273406b9aaa3824c2c6d0f4b31e6d71802e943864db0

Download Submit
\Windows\SysWOW64\Pmccjbaf.exe

Filesize
97KB

MD5
fac694a841b3a37744f6ec87ddffba86

SHA1
348c0806af5f1661d9a249797ea3fdf499af2a03

SHA256
7098ab2e6d96563dadd1f281937d669ba95ef8d81512ca19076f49883c64ea72

SHA512
34be301e2cab2633aa29904791d0a5854fd5f0c1b333a544bdfb4121190af8caea0dbe20c1d60e817ae81e23d5d643ddadb1bc277d0b8207d1f54604438a6c88

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
97KB

MD5
dc8d35df583ed6b33cd1a196933ee4fa

SHA1
bd2ae015e8040e4328addce34514bb63d6145f8a

SHA256
c6bc0ae6f3dafbdb54ff3dd9192c561bea7e9a87a1826bd1284433ff08e2cc36

SHA512
878766c9dbce9497869636d0ecb1f061959e173acf5b6f9e5166cf4d4afc5d1aa7d4fe8a7dddd7c44b66b028d8ae4e6eef63a9adcfb0feda417038ff50428e11

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
97KB

MD5
bd7089ecf25fe56141ff64eae74b4410

SHA1
3d831f6cfd7948123a68fd15b4a88177ebd1ad5b

SHA256
a6fe02fd162fbf59ff7915f47530d6ab296a49250bbf5e470b231685f3b597db

SHA512
51ff83eade66e48d2a5b032325131da4955baf8e0f1e06648f3a5e6612421b9d99fc879c994cc347ff9225b561bd1dca58afc6df7f1b8f3c9ddd777320094cdf

Download Submit
\Windows\SysWOW64\Qflhbhgg.exe

Filesize
97KB

MD5
826491d402a1cd229c0bfdf45fd0d89c

SHA1
f3700dcb609ddcc8946b121a3cb1bbcc89df4940

SHA256
1cd86204e8a9726546de60afeea28d63f7680b8e5601b535ab6625b7b37b97ed

SHA512
9521ca197dcd86f83fd858657b053481145e5be9758e316007c8877aa1a26e3183b5a1c40ef88f258be51d1a5f6f83ae5589cc2a7258f6fb06c96714e334cf1d

Download Submit
\Windows\SysWOW64\Qgmdjp32.exe

Filesize
97KB

MD5
71ad1521d572cd1bb488f38d98f43737

SHA1
366bf33a97dd4c7c407b0fe8fb5b6f4b520826b6

SHA256
48bb7c218289a43aaad35c43175bfa3e4082f17557977d5a25460fb707a5d79a

SHA512
c079d0edf5129e57cf30f3cc9cfd9f47b8613923119eab6ab132aa5142aa986fab0f73bb14e6a314ccc1240551d92f988e6839f1c7766c8f55ee93b822ba5dd8

Download Submit
\Windows\SysWOW64\Qngmgjeb.exe

Filesize
97KB

MD5
4051f2e92b2f9c70fc74277cab06dc81

SHA1
51e733720d1f7a62571d268df6898a76b17c427b

SHA256
6efb0f03a1c77188426aefd16544019c7b3a28323d9e1291587160158f03ead3

SHA512
f95c961ab8ce2e4d87cb7f744f99f4bb10982cedd4304cd773e7bb5df78576115dbaa2d2d41b91e272c4022aa05333c9d791204ef70e4871618e4c75bea60f78

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
97KB

MD5
12e78464aa794a98cbc5fb484f59a1eb

SHA1
eb868fec313c4d79f3d985562e497593eefc4ec1

SHA256
fd075cfa379823db5eee206a79b0e636079cfe1c50dd22c1460bd3c2b6b417e3

SHA512
d8eaffd836c0cfadd00649aa7a1f8fabdbf03993b7a47bc4510ea892232734ed55a51503b99ee93f567b79fa2050337947c3c61680e1d9fbd6ae1cc6860af3c5

Download Submit
memory/572-89-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/572-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-281-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/680-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-300-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/848-301-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1044-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-253-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1156-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-353-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1156-354-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1268-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-477-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1316-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-441-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1328-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-442-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1512-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-240-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1640-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-510-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1760-509-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1772-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-182-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1864-259-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1996-42-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1996-364-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1996-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-35-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1996-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-429-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2096-382-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2096-64-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2096-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-168-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2156-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-339-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2188-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-464-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2408-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-466-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2436-465-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2468-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-195-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2476-498-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2476-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-221-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2492-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-453-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2504-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-310-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2552-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-291-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2604-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-121-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-435-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2648-56-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2648-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-50-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2820-326-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2828-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-396-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2832-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-407-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2852-17-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2852-18-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2852-332-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2852-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-26-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2916-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-142-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2916-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-418-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2920-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-316-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2992-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-321-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3064-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads