berbew | 91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860

Analysis

max time kernel
78s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
Size

96KB
MD5

23c1e3e7eded699812b21baae2f2bdf0
SHA1

f6f2e22aa3d6fb69ae7a9faf89429b45f1d1e979
SHA256

91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860
SHA512

77b338fae638d4cfae64b0c8169e9cb55d05af9208c136b2957a4be773bb4450766970f55c0441f8ff71c7c9d81fb3d76c8d1ba9d92614c6c525c40f3c6b972f
SSDEEP

1536:h1H8EbTed0dWaFoeyRLfmAa5wN9qakBS3pC66Wcie2L0sBMu/HCmiDcg3MZRP3cn:h1H8MT5saFo5RTj9qakBUpP6fc0a6min

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 55 IoCs

pid	Process
1728	Pmmeon32.exe
2916	Pplaki32.exe
2696	Pkaehb32.exe
2708	Paknelgk.exe
2672	Pkcbnanl.exe
2692	Pleofj32.exe
2628	Qgjccb32.exe
2600	Qndkpmkm.exe
1292	Qdncmgbj.exe
1648	Qgmpibam.exe
2356	Apedah32.exe
1488	Accqnc32.exe
2764	Allefimb.exe
2196	Aaimopli.exe
2880	Ahbekjcf.exe
1288	Aomnhd32.exe
1352	Adifpk32.exe
1680	Alqnah32.exe
1656	Abmgjo32.exe
1508	Adlcfjgh.exe
1152	Akfkbd32.exe
2232	Andgop32.exe
2104	Abpcooea.exe
3040	Bkhhhd32.exe
1384	Bjkhdacm.exe
1708	Bccmmf32.exe
2828	Bkjdndjo.exe
2152	Bqgmfkhg.exe
2668	Bgaebe32.exe
2560	Bnknoogp.exe
3008	Bchfhfeh.exe
1868	Bffbdadk.exe
992	Bjbndpmd.exe
2080	Boogmgkl.exe
2520	Bigkel32.exe
1716	Bkegah32.exe
1408	Ccmpce32.exe
2596	Cenljmgq.exe
1132	Ciihklpj.exe
1852	Cbblda32.exe
848	Cgoelh32.exe
1744	Cnimiblo.exe
1880	Cbdiia32.exe
996	Cgaaah32.exe
2968	Cjonncab.exe
1552	Cbffoabe.exe
2664	Ceebklai.exe
1156	Cjakccop.exe
2688	Cnmfdb32.exe
2892	Calcpm32.exe
2576	Ccjoli32.exe
1864	Cfhkhd32.exe
1444	Dnpciaef.exe
2528	Dmbcen32.exe
1624	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2028	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
2028	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
1728	Pmmeon32.exe
1728	Pmmeon32.exe
2916	Pplaki32.exe
2916	Pplaki32.exe
2696	Pkaehb32.exe
2696	Pkaehb32.exe
2708	Paknelgk.exe
2708	Paknelgk.exe
2672	Pkcbnanl.exe
2672	Pkcbnanl.exe
2692	Pleofj32.exe
2692	Pleofj32.exe
2628	Qgjccb32.exe
2628	Qgjccb32.exe
2600	Qndkpmkm.exe
2600	Qndkpmkm.exe
1292	Qdncmgbj.exe
1292	Qdncmgbj.exe
1648	Qgmpibam.exe
1648	Qgmpibam.exe
2356	Apedah32.exe
2356	Apedah32.exe
1488	Accqnc32.exe
1488	Accqnc32.exe
2764	Allefimb.exe
2764	Allefimb.exe
2196	Aaimopli.exe
2196	Aaimopli.exe
2880	Ahbekjcf.exe
2880	Ahbekjcf.exe
1288	Aomnhd32.exe
1288	Aomnhd32.exe
1352	Adifpk32.exe
1352	Adifpk32.exe
1680	Alqnah32.exe
1680	Alqnah32.exe
1656	Abmgjo32.exe
1656	Abmgjo32.exe
1508	Adlcfjgh.exe
1508	Adlcfjgh.exe
1152	Akfkbd32.exe
1152	Akfkbd32.exe
2232	Andgop32.exe
2232	Andgop32.exe
2104	Abpcooea.exe
2104	Abpcooea.exe
3040	Bkhhhd32.exe
3040	Bkhhhd32.exe
1384	Bjkhdacm.exe
1384	Bjkhdacm.exe
1708	Bccmmf32.exe
1708	Bccmmf32.exe
2828	Bkjdndjo.exe
2828	Bkjdndjo.exe
2152	Bqgmfkhg.exe
2152	Bqgmfkhg.exe
2668	Bgaebe32.exe
2668	Bgaebe32.exe
2560	Bnknoogp.exe
2560	Bnknoogp.exe
3008	Bchfhfeh.exe
3008	Bchfhfeh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Alqnah32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Pkcbnanl.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Qgjccb32.exe	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Allefimb.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Egfokakc.dll	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Abpcooea.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
752	1624	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1728	2028	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe	31
PID 2028 wrote to memory of 1728	2028	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe	31
PID 2028 wrote to memory of 1728	2028	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe	31
PID 2028 wrote to memory of 1728	2028	91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe	31
PID 1728 wrote to memory of 2916	1728	Pmmeon32.exe	32
PID 1728 wrote to memory of 2916	1728	Pmmeon32.exe	32
PID 1728 wrote to memory of 2916	1728	Pmmeon32.exe	32
PID 1728 wrote to memory of 2916	1728	Pmmeon32.exe	32
PID 2916 wrote to memory of 2696	2916	Pplaki32.exe	33
PID 2916 wrote to memory of 2696	2916	Pplaki32.exe	33
PID 2916 wrote to memory of 2696	2916	Pplaki32.exe	33
PID 2916 wrote to memory of 2696	2916	Pplaki32.exe	33
PID 2696 wrote to memory of 2708	2696	Pkaehb32.exe	34
PID 2696 wrote to memory of 2708	2696	Pkaehb32.exe	34
PID 2696 wrote to memory of 2708	2696	Pkaehb32.exe	34
PID 2696 wrote to memory of 2708	2696	Pkaehb32.exe	34
PID 2708 wrote to memory of 2672	2708	Paknelgk.exe	35
PID 2708 wrote to memory of 2672	2708	Paknelgk.exe	35
PID 2708 wrote to memory of 2672	2708	Paknelgk.exe	35
PID 2708 wrote to memory of 2672	2708	Paknelgk.exe	35
PID 2672 wrote to memory of 2692	2672	Pkcbnanl.exe	36
PID 2672 wrote to memory of 2692	2672	Pkcbnanl.exe	36
PID 2672 wrote to memory of 2692	2672	Pkcbnanl.exe	36
PID 2672 wrote to memory of 2692	2672	Pkcbnanl.exe	36
PID 2692 wrote to memory of 2628	2692	Pleofj32.exe	37
PID 2692 wrote to memory of 2628	2692	Pleofj32.exe	37
PID 2692 wrote to memory of 2628	2692	Pleofj32.exe	37
PID 2692 wrote to memory of 2628	2692	Pleofj32.exe	37
PID 2628 wrote to memory of 2600	2628	Qgjccb32.exe	38
PID 2628 wrote to memory of 2600	2628	Qgjccb32.exe	38
PID 2628 wrote to memory of 2600	2628	Qgjccb32.exe	38
PID 2628 wrote to memory of 2600	2628	Qgjccb32.exe	38
PID 2600 wrote to memory of 1292	2600	Qndkpmkm.exe	39
PID 2600 wrote to memory of 1292	2600	Qndkpmkm.exe	39
PID 2600 wrote to memory of 1292	2600	Qndkpmkm.exe	39
PID 2600 wrote to memory of 1292	2600	Qndkpmkm.exe	39
PID 1292 wrote to memory of 1648	1292	Qdncmgbj.exe	40
PID 1292 wrote to memory of 1648	1292	Qdncmgbj.exe	40
PID 1292 wrote to memory of 1648	1292	Qdncmgbj.exe	40
PID 1292 wrote to memory of 1648	1292	Qdncmgbj.exe	40
PID 1648 wrote to memory of 2356	1648	Qgmpibam.exe	41
PID 1648 wrote to memory of 2356	1648	Qgmpibam.exe	41
PID 1648 wrote to memory of 2356	1648	Qgmpibam.exe	41
PID 1648 wrote to memory of 2356	1648	Qgmpibam.exe	41
PID 2356 wrote to memory of 1488	2356	Apedah32.exe	42
PID 2356 wrote to memory of 1488	2356	Apedah32.exe	42
PID 2356 wrote to memory of 1488	2356	Apedah32.exe	42
PID 2356 wrote to memory of 1488	2356	Apedah32.exe	42
PID 1488 wrote to memory of 2764	1488	Accqnc32.exe	43
PID 1488 wrote to memory of 2764	1488	Accqnc32.exe	43
PID 1488 wrote to memory of 2764	1488	Accqnc32.exe	43
PID 1488 wrote to memory of 2764	1488	Accqnc32.exe	43
PID 2764 wrote to memory of 2196	2764	Allefimb.exe	44
PID 2764 wrote to memory of 2196	2764	Allefimb.exe	44
PID 2764 wrote to memory of 2196	2764	Allefimb.exe	44
PID 2764 wrote to memory of 2196	2764	Allefimb.exe	44
PID 2196 wrote to memory of 2880	2196	Aaimopli.exe	45
PID 2196 wrote to memory of 2880	2196	Aaimopli.exe	45
PID 2196 wrote to memory of 2880	2196	Aaimopli.exe	45
PID 2196 wrote to memory of 2880	2196	Aaimopli.exe	45
PID 2880 wrote to memory of 1288	2880	Ahbekjcf.exe	46
PID 2880 wrote to memory of 1288	2880	Ahbekjcf.exe	46
PID 2880 wrote to memory of 1288	2880	Ahbekjcf.exe	46
PID 2880 wrote to memory of 1288	2880	Ahbekjcf.exe	46

C:\Users\Admin\AppData\Local\Temp\91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe
"C:\Users\Admin\AppData\Local\Temp\91cc6bb5f75d8b5524fc8e9417c152387d2b5f95a6200ba75dc3b740c3416860N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Pmmeon32.exe
  C:\Windows\system32\Pmmeon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\Pplaki32.exe
    C:\Windows\system32\Pplaki32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Pkaehb32.exe
      C:\Windows\system32\Pkaehb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 144
        57⤵
        Program crash
        
        PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
96KB

MD5
1e854139d71d6e62c50804d55e28e40d

SHA1
49bb59160db7c9eeb270b15648513562c8a3d8df

SHA256
064780c194d214cebe70ddaff6d90b848a94161f4f531a7dc88a4a767fc1e301

SHA512
59942738f774308f65749e72b32f83d8036c510c415777c8dee89c152d21d470d3f9c9db87048c44381f003cd030f92f8ac3faddd3be64322e8d10bd7cec6cd1

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
96KB

MD5
fa332e819fa8ba76dfe1832d969f8db0

SHA1
cc0bfddd32d517c6c3ac08a685e80452c5c44923

SHA256
bb5f8efd2b3a7ed0bd0dcbaed04b9b39df59357be2833bf811d72cced68abf38

SHA512
a5bcf0b12a0961f103b99508d338023f1d9977bd585581dcb2aa85b2e5a7606826056be7729ed6304d06975f4fd90635ff4cc080fad2e3be72918ac67a990a21

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
96KB

MD5
c8a13a052aa2f5cc893a70653ec794b6

SHA1
6adac5f4abb09ac52e351e2ac53353113bf32bb8

SHA256
572b6f37876624acc392cddef67e3f48bb97431f1e4e43a9b1752e0992073c12

SHA512
a2ca8651a2e125430a8e5f9c42d4d59bcbd3cae475fa569f3508ff6daf21877df3a762972718f3bcbc0406e1068719d650eb5df8426e46bac67f598a02c6e6be

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
96KB

MD5
583a106a407c8ccad52da8c828eb3687

SHA1
a08e7cd41e4b8e1ee633cc5a379851fd5fa1ed1a

SHA256
0a319f905c78924a7644c5e841ac2b4ca112f10d27fc1b4ff58888e08f0ad1ae

SHA512
eced4c1db25611dcb847f43f06eb2774114c841cd7156c1ba438a5cb8fa8026bcc3769e3584ed162f8dde13759514ccd8efbcf92decb8edb5f3afdded3f59491

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
96KB

MD5
6bc803fde5cf97b1c9b19a899a63806d

SHA1
3d737f8e768031cbb77621becada109689ec41c3

SHA256
6bfa94af8039b0b2a2a7d95e51d3da04f4bf0d23639a027cfc4af541f48795f7

SHA512
bdf84321009a21725feec8e338ccd2a459e805ca6573b0ac8ee32fa5e2c91d2dd10bde43ace9fa4d79257a268ccb3e279dcb5ba38199de3e3522f9a5e4232c9d

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
96KB

MD5
ba35067f3f15fe9cb5bda64dedf7970a

SHA1
6de34befaa42582a78411e285590118aa456cf1d

SHA256
f0f79fa5a79ccab5203a9103ad2de3a07386d9027b567ffacd80538ba8adb5f2

SHA512
bf0c321e45f588c9d948575c71f769e022ebb22263b26cf7968ec20516dec24179a1eabcfa4cc3905f6e933b7b9df2147a2df5471153d070432c594cd60da316

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
96KB

MD5
42b64b3259eb1b0018e724878a493020

SHA1
ed8bc334a6775fe29b361a8e2a9fcf99e871dce7

SHA256
c3987f5ed05f7a664df241ec6fa90bd208267fa4ec7b1f8d2cf91ac630a1b56c

SHA512
9211d2451dcdd515bf415288bc14529dc7e00bb25d2d5200e8b1e2694db2e7932b4a3a9a9a3b4993f434716b949b46e295b7c0392e690fe289bb5cfe069b7694

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
96KB

MD5
30d688e1be01b14f7ffed228272bfe23

SHA1
c12443a14e477a7eeea584247a610b73b7579f32

SHA256
ff69ee90d2000b4888ec78e035c90454274786ea60f3b3532ad8beeb7a06cc3a

SHA512
cfee214a54bd5da918a2e3244aaeea324e15c7f785d178e6a6541c9e26ccf810d11a095b2e4c6aa1f56224c504088eeb67569965f1a1c5a4cf0675c75610ad5a

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
96KB

MD5
e5112fc2028b18c65e9ec73cd0377f15

SHA1
791a8904653d6af40cc77d359afc3ea90d73babe

SHA256
2d4966fdb8b3a1b9427c6d5a358683b8ad78de29d5a9876e2a010357cabd677b

SHA512
a11d54838c57f7d116ea6a504fe2509cbc1feb1a4cb52a757d5b859d4bb9f2951b7145cdba9be64f0bb25824ada1507828d957bdf9fb100a7a7c35785056fe7e

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
96KB

MD5
3102528ac7058f6035de8df7f7c4d1e3

SHA1
61139d3756d9a6daa99c73352d2b861e867ddcda

SHA256
6896a44865ad9a4b3753b02df07b94d21e602e16c522ce0fed8eda93c71e1270

SHA512
b4bb6cb15e32c903d8ba9741114977b87c8842114df830721e36469f8fadc03d79d1efa8a4869ff130d8f4542de99b8244e4dbeca87ac8c7d77010e4ab57264c

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
96KB

MD5
294eaf95bdbac11ab095507986e62f0c

SHA1
b7a8f4f5a3b82e8a5f4ee7f54884b2a2c6c7b329

SHA256
5407bb41920df7a1f3c01670eaba6624ed8fbd51128147d5e201d42d67d93ce7

SHA512
5c65795b5ae5de4865ad7cd61b96f1910a37bf54574f0656832696d68504ed47b458cc2ec3795a372497a35fe7f001d498a8c29bdaba6aa012af786f136cd986

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
96KB

MD5
b0e8da20bcda1fa0709e1b79c3928745

SHA1
4d234aa849105f78607ac7019e7e2783a4e206ca

SHA256
09bd41bb840a0bd188abed2e1677d1069b44256d39eb6fe824d39491a636c8db

SHA512
7376ce70f9ee68a23d33b90fc732f0144afcb1abb004cefa2d5562ec6efd92d5789d7300ecf887243bfc6d27ec2251a9b3efbd31241b9dd087146275dd8a4a83

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
96KB

MD5
7d5a9364eab722575546d53a1d678e07

SHA1
8f4b2ae84d06b000ffca68dfd8f062e6dfbcbb3e

SHA256
179f574c7f35aed6d22f7af1d2bd3bf489ce00b16fbc8ebc4558fabc6ee56d92

SHA512
b58e84c55bf0bc4cb9188209b56bd65dd4a8ae515fe56c8bbf794507bbedb73f390002068e9803d8ab9506929a25f29542020653006e156a49a12a36815282c2

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
7b25271857e5cb16665bb498e1fe5c4d

SHA1
d5012e8827914c8ae345f8deff88226ccd0e0c47

SHA256
c5823d65144e5aa28f41bdfceb9aec75e2cc446da44d69231ca1e214af0bcd8c

SHA512
70709d464b3b518d5148c802c05b9261db24364d2fc5b9a943d897c1d6c6989ed0bb8e1c8a1c9c1c8d08d8bfc5cece48be5056092d7b84d3d1350ed308e7c442

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
96KB

MD5
ca6c50cf736079150f28f45d41ca469c

SHA1
ba52bef60514b44a9c3cc0c89839adf45175c166

SHA256
6d7af94f6ac8f8544de3482ee2da3abcf3f0aaa36e68cb6b096b4bd24eaa1aaf

SHA512
c668ac211288e507f13cb47c366ab36f780c1e559760d07beb67b18dcae52ceb64edc24f1796e1e5153c5a4ffa08798c62e8b83faa366b52955ab3a2d95246f8

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
47e933fe6a254e6ac0d2a6aa58ad1733

SHA1
d4f93613d0eb7bedf4e657d9417bf842c079db17

SHA256
fd2f754b22cb68902749d58c93dd02edd393283872ea44b527058d29ba627435

SHA512
7b96c930035e78a33e02046006d9ea239ee4aa3458bb538c9b2794354e4f866e6a58a0b633155b6416fdc5e8e7afc080600a4e35eba8ec33ffc0cc01178ba0f8

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
96KB

MD5
9fb719fb20889aaa09248d78468b0f94

SHA1
c33d15da6a63c6c4812140fc0ed24196c5fae632

SHA256
4e6665c3c5915e997f008e621c8c11c3d4eed6fa6e3728e6e6d3e630e0592b8f

SHA512
064b400fbaae9559bc29960be04ca64ed3c3ba790d42eecab790e868893c7ceebec1b9a6bf3de45f80c9473a550f4107abf12d65201645f1cb0e75a78642c611

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
7d01981a54eccc92f13d1a4b7a1ff17a

SHA1
c6d3ea7128a25ce81949a66bac25a5d816b8046d

SHA256
7d39fe7ba630508cd1c6ee97df5d5b979c9e125b070252f3f5bb189212635d6b

SHA512
91927eaadfba050d201dbd999692cbfd4d137a0f9a8223d5aca1e1c14d2a439d204627f2d144e962a31d445a1a27a55755206125c234cb8b77af4c1c06886098

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
96KB

MD5
4fadff469297e29cfc5b2d03730dc416

SHA1
33281af77887d9322225da5782d801a4920b525b

SHA256
d7b962dedeae35cf27e4eee1868ce554d90c5993dbebabbef83c28ecd447fa57

SHA512
43f82a6465e58cfb33a3e2f39cb03525a96c14838be90cbadb375e826c3414e9207c2ab6697622ce41a94535b22a5a8b8cc22ae4b82cba72201916691e82e561

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
96KB

MD5
2b9b7aab9180c329febade5b96090cd1

SHA1
d0dd9413c39da0396c547a7997884a641a38f8c3

SHA256
8f94eb461f4ae7393257db00734ee6572acf8224a0dbbc6f98df1f6582419c83

SHA512
a9df93b29ce2b830a2d8a4d0437f1df0fc2d26a6d5063e4d7d1a0ebffd011569f83b6aef2e3c240fc25197fb63d8e7bbb2bc2a8c6ef79c868765a1a2f93d8d2b

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
96KB

MD5
b884b8d0c4e44db005fa06d5465a943a

SHA1
c5ca3fa538e0c03e95678fd60fbb5a6d0eff1a3b

SHA256
952f877eca877376421ae3db6082dbe9b8220b426ed02fae6d3302e12ef6abff

SHA512
ef747fa5975cdee2de120e3634fce6d1d48f0fc7625a0ffd7de45580bc6d560aee5df6c14c24fcd4072d400dae2c7a4ec948d19d975fbffc74d7477e081c2e84

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
36a1e51f26de9751065e195d03e91a19

SHA1
1bacf4c56a120a4128fb53bb712a0c05ff79e044

SHA256
7a71966bba14b05d35d2e35e8f45480a36bf30d460ba4e6617760b89832fffa3

SHA512
617ff05a49dc724ecdd9277492f31ea0cfbc43a920c85a191dc79bac4fe01c50a334fc3afafe306b522159014768ea07a343104773da7b0acc0adfb612074dbe

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
96KB

MD5
3961caf7f3d4bf4e705da4ed2be90c84

SHA1
ab9501fcc92ea049791352be9a43b89b71647de2

SHA256
156870d1dbdaa37b77e8daaca34dc8f47855eb16960a8fec5e375bc3020e3c50

SHA512
4b23b9b2c03ad9f8c84e557af484412cf5cececfda6cf4e2b0e3aed78fa6fef0ec0b6552a573edd2df0374599fd31d464b0a232bcfa22149075e26c47b072d2f

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
8baddbba4077ff130c3acae63d358535

SHA1
59bafa2728e854d6873474d5b58982a01bf92cc6

SHA256
2cc72c89dcd6f9f86de27a894acc3f20ad43a9509e1178d9b19909d04d0e30fd

SHA512
45f1a57a91cc3d48238c50395cd8751ab2667e797984c7e78a4c4a16b3a255e787d2dff450f5dbcebd4371779991696f2d9ecd97409b02e1713c4d7b30742ce1

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
f12d245fe77d9adb555c227bf180891c

SHA1
45182a729672a58719ea5f82b2b56be796ee6675

SHA256
977496439eee419187934441e4773e90c3119e658ed9762e88fbf6693a81859a

SHA512
a987b10547718d109558386a5a2638d09e1f9dd42dc2140f551a447e409cac1f506560c003ac79b5e9095c8bea54d67082866ed1202360441580177e94d6f260

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
d8fb80f16567302e74069135229b931d

SHA1
5ca18108fa539439791db341fb19ddd25ef1ed07

SHA256
0b11a55cceb41be7fa18929394a7febab2839fb4bcc2ec2d87bc4893242e09f9

SHA512
bf1b3ff02b36d35eb19c01c8b39d71098374be1b34ea34c6f70b8430d857280f6eaa676e157004e60d12b92f9861f7e2f65f52828e2faf156f7c415378cfa17f

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
00b1cb477ecb68275f689338560ab3a3

SHA1
2d5a578a66cbbabd2db1e97e06060e6ba3f65815

SHA256
cc1a2d0da7d8320aa9937a70c9939d7b37e4aef40dff6b3b0f02c097f7ef8697

SHA512
b7e69fe1610c346723c571f607ed13bf20ce75bc772287225aff236add78e9d9bce6d7a388252b3575a98e2ddc310fe8b69af2c2afd4a0b3787784ed99e2fa46

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
96KB

MD5
cc59082777ab2e5d2d9f7795a505913d

SHA1
d5f50b2c46a71a1b6b698a7c29a9ef1486926f16

SHA256
a03c84b830161cced48d3a224773fc21e895d68aa95dbadedf1808648b52661b

SHA512
18062f86ddfc9432bcb5c2ad7ea80eab58f48a85a0ce01d3af06aa999e354bfe3b56d572fdf012571542baefbc7ea1ba497f9f52cb66a9f5233623f908c12373

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
96KB

MD5
e6e6bff1baa65cdbce75361b364d0137

SHA1
1049a2b9f2a6261f8820fac2d4a4aa54b3359f5e

SHA256
7d7b4d564a6a1dd56e1dc80a75d5caa2a831616ba3f2a734494207f9ed686a70

SHA512
5d0eae9a10b7c0e36516dad3f20e57d3706bbc1a1d9f998d40382d81455da2686d9e2acef5189c15e92cccbfa490fb6654905fc0b63756356fc3c377d9e2f9c7

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
2a09090a8ac4cf663b955fcaf5bbd347

SHA1
749fb06d35af4ab0367d6ba8512b51a902c9fe09

SHA256
31e27c17d81afc20fe4512b41bcfc02d8855def15551ffb6cf6eb792dd4e1c77

SHA512
832cd1d39756565ade89a8c94c0695c514cb8b73266c6d67a1481b4b2124670f6b9834450e20072a64b29a0b164af1d22a3f9013689003fb1b0de4535b4cfa6a

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
15fa85a4ec394a9da769ff216cd81bbe

SHA1
9cef49af4ad793a641be26d4dd67fe3a5881cf3a

SHA256
809712ba0b6e22025b8f1d9a0c5dd5d20eb479264e0fa405af9946110c914b63

SHA512
8c6ea3305cfdb6ee87170e7932e6c3fdea3ac0b807eed30813fdd8bbacdcde5c514d3de023b4ba9051be2c0882ec232d8e923cd38f209d8499b2d4e3ffdbeda4

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
9da11d60f805c514da4754c132ef07c0

SHA1
031f6dcda09eabf32bf92541f4c42f650fcb2dfe

SHA256
d3f29bb0b539d00cf874944127e8c3550140337a9969480f956aa177ece5ad3b

SHA512
037ad5c290cf5b2c06f0c84ca04b2131ceeca12b9110cb0d982cec53e88233a5eb9d0eab1d6ed87db3547389c232f98a59ebb274bb8dfd7060c4ec501b770b94

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
91d45b9f0f489f38bdd677877d916643

SHA1
1d1cc0aefacaaa1251fb65af1c6776796fd9de75

SHA256
88814b8f86a44827e9e983493ea647dd7bb0ea5803e9cba184259b9cefd69b80

SHA512
64c3e1cd5a12a558d3ea8160f80e4f5c8df917dbf2d4eaafcf6ef837a523aff0dcddf1a1f3f3f2ff271c36367806b78bb82ec3b80db5ec07b5c5363f00c00656

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
96KB

MD5
c3691fde87b5b5c8fc62976dfef56cf4

SHA1
34888ccd45ea015cdbcbfa5de55f52c3bf94460d

SHA256
c4a896a9872a70dd9c4ed600dc516204539bea67fd7b9acbeac49aa0b0c311eb

SHA512
797e770f7d7d95fd536c839e8886bc9631892d531731351a9d6f194aaaf478492beb3e138533f1a3469c59711d3af9bff7634a0f6e92be2c80101bda3275dfb4

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
12ff12fbeff914369519d35593fb17b0

SHA1
30cf2fcb560da400b64e4e254ef3cebf0e883d88

SHA256
ec7189732d9b4958e411d35f922adc298915f8b066994e28477113f635bf31fb

SHA512
d48bfc61a38d4ba73b2882429e7eaf3c78b2684b2e35b538a4c82be6392447b9672b3ebefd7559b6d98e87ede0e1358f10e1134a1c4a695d36f23d5354c1adfd

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
55a188e6591ff026b73b9f45f989e8bf

SHA1
70440f74fbb7c638e28af4e3507c7eacfc7a4384

SHA256
4f452ee859fa3724dc3d93854b7b15ab42fc0af210fc102398f213c95b5efd76

SHA512
7b49b36acebd20b64905262fdc4cbc3abd1e9e993fa49183ba281b6400800439bc23eb32439aebe4de3a393b1ae61959bfa17b294c260d3811dbf0203077ed35

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
3421c389838b7515491ba36996462be3

SHA1
c51ed2bc1b349dd997853b40dd7ff019d81a20b5

SHA256
aaed029258dc65d1f381d399e40b702c526fbcf3fca370974b7291b43b562a61

SHA512
deb8e0f7a8250f32620b9147d829653f4bd0add4fe3034bbf588f727e0473962f388d0a26584ce3c288cf4ad6e9c0c774f0d6a5a489430fb2601c1900d27021a

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
bbfeeaf7403ec41d20891232f8280531

SHA1
08b5e436e55304031bd49e3595ff9e9002450a3b

SHA256
9aebc3e521d4674f3d4d896927100464c0b522f4d55c86426a93d1cd5511d5ff

SHA512
39ab9609684615f9a86b55d8c08266265fcf0c2c2baa02a60a0b3faa17db01abdd6636f21999490bbf0836ea22db78dbeb6f386924ba806ecd85b4313633fbb0

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
e97b289a5fed08c681c6611327b71f00

SHA1
d64f29536a5aef523290f19fc49f13e755daa024

SHA256
7d5134b6afcebf5671c4c78824c0a83f2c1c80e2d2138c9be1ddd0c034073401

SHA512
8e122cd08fd68905b0155f68334d884506b0e413a3a1bf992ee1d9ac57fe719c75e71e31e290441d16111b86e56135b598d93c17af8be0f3bad93d27dcf44968

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
bdca152d9b5e72b693b8d180f469ef96

SHA1
cced8d4a639c73864651402e23f0b6ecbe9e99f7

SHA256
065e5d18f0bc8ed239038bd27d11452fb38b22a21498ce6bcaad462804d8d04a

SHA512
3bd888ddc7becd88f6410309fcfe06f3466420746e1856a236eedad7ac142553e7dffd02cd26a60f277d1d6b5d8c61a1c6adf03264952646db6fd983bd25275a

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
96KB

MD5
088ab868be05ce9ade1b56ce82af8cb3

SHA1
ad9d818d9402205834f76bacabe098b1dabd51c2

SHA256
7da25ee3de43a2624ad16eab1c776e75deab49770ddacff790cde2e158f58269

SHA512
f659ec8f749610f9ad206d1cdb346d6a56bdea94e32d25ebd89a059e62517dee84584f0e466d720dd0bedb89c3ec73bbd1f71c955db5a9861ce3db37c637fd7e

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
96KB

MD5
9c92c45363161a1c60c4461a927348e0

SHA1
f8a4029d8262c089feaa4b9950ea36a362dd6e32

SHA256
675498b98b13420a4dbc5e91e10a5ee9e342a068d8e205825e5deb00710661e4

SHA512
e2c33eea3ea097a9947551fd109cc15f1c47c90ecabf8e10393b19137a7c53b115f20e9c886dfb3dc8f3bcc5f39b565a14b2d72dab9d1e69c1df4417471a373f

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
96KB

MD5
858240bc82f7c5f621ba672c7458940d

SHA1
bfc523ba023c721b7d2baaad2f2b9f77d7db8848

SHA256
a77c119747507c1a212c9095185a455fa663366fc98a6b713d09549fec511758

SHA512
6a0f626280632f7605ffae709e9a989eef79d946987facbef3bd30921686285ea7fac24c6e4a4cb3214a5ead3f8de40bb44e606c75e9f0ced19dc62d1bd1d1f9

Download Submit
\Windows\SysWOW64\Aaimopli.exe

Filesize
96KB

MD5
5e15b9c846b5cbd207c9041efc2fd49d

SHA1
0a9d4b5237199e9b9a53da1c0ad52156b4151be5

SHA256
e9308f084e53ee7e899ffb3b28d144340979595cc1b224a401e126152797ce83

SHA512
6656ce4c1fcbc05720219a6ee2a5c91fb8d178a68d0628af7c069eaa2f9dd9d0fc141d88d16e2f8822a97dea41f87ce25eaf256888a88da42905b298d19dee1a

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
96KB

MD5
814d2e8387706a1e94818acd0cf111b9

SHA1
79669aa3d21085ecbb030dd139236207582ef333

SHA256
63b1ebafa5541b8370931a6e089678d0614423b773aa78d22ee9d321c0f122d8

SHA512
5b79becb1dbcd4bf53bd646cc91aed139fb90f1f4cea4c617f063a04466a8f1e6cbc2df4b66101f7a0e3d0ba7b4e0b233c750d8f7f47daa8a1e3ae7f1c2ee36d

Download Submit
\Windows\SysWOW64\Ahbekjcf.exe

Filesize
96KB

MD5
72b5d1ec271b5954cba2e8207e4bceb0

SHA1
f9dbbde9707e07112ff77a3564dae88fdf332d7f

SHA256
ba230364c0a0b7224be4ffc5f60007fec94ce1bb49083fce62f1a5704c2ec80b

SHA512
8174c3cf9933917b488189366ee5f114a282a5cd6aa4a260c38aa8d6940addc062d8bc6f7afcebe21bc4c929dd92fed0b7dfbcb67473657970df05d0046a1408

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
96KB

MD5
7aaa91551b8f46c1bba074a9d094e9f2

SHA1
99703c60cc4df8827a7f316e98cf9374a7ce08d2

SHA256
e8ab89140b3f92ee0ec1e52b135aeef7676f20628236d029c02baa28e9ae4c44

SHA512
40ad845d7d487124f4f28722db3d4db890bd9799a7faee5c105d632876acaef7171cdbbda07d971d839faf83e8411cdeb05f1ea81d8112e9d4902a9c22afa905

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
96KB

MD5
4de2b09653ebf7b3491e5f805e8b8f13

SHA1
fbc21debaa82ed5b35e650e56b405a8cbb3001d2

SHA256
b0213c9835c754c3b7a8f8c1421dfe9c695c7cc994c9b599c93e016f91003198

SHA512
5b5f4271b8f835ed1cbea848d484fc474e08f6ae8e6cd3044b1e31e5b5c4e01c6dd161be5513f0d59811fe2ca9d587ac507d635bae113096197f0569d2c79154

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
96KB

MD5
cb848702c639a3706626f46ffa2546b9

SHA1
3441ecfab4a6e617c8601b109a484cd258966c8e

SHA256
53f49bafdcb0f3976b70a7ff2305091299ef118619e8d5d3d0df91ad61e6f9b7

SHA512
3fff6091db6fdc2efa02094d31737aabe96e661d85756ece657a833b3a706df36df555257172360483c9e86f18dc068fa67a13a2414eb56bafdbdb2534ee85fb

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
96KB

MD5
07dd24e9f70a30110fe1ccf593c6b75d

SHA1
9d3b56abc29b1ea9600e210310ec9a4dbb1b6f81

SHA256
a87089a200c202374847aac978ee51aa7c5cf68646ce53a8dfdc2df67b8fa702

SHA512
323596bdc46b20b6341fba447fa4907b3df62128be397bc6d74fe3d0411db9b08d2a905890a6d2cd07ab8140643797fff96c03ccf7f780d49641401f4be2b13c

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
96KB

MD5
43221f39e0f0153e252293767050c509

SHA1
b0607707528be76c53a6f667a1ade0558e0701f4

SHA256
2e6e86272138987d8ca64b072ad83a0117c0c0dff927ab709c4eae904793abb3

SHA512
ac73650b5fb5bde79f3de2a9b3e0316c861a8df9162f1f614bfe3c5fb14ac4bf6693cc37241c001196bdf1c9d36c62d504fc30c9a153df709faabb7212ca477a

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
96KB

MD5
b74c6945d24e6add1d63ebc6e011523f

SHA1
e2f0f49cffe5683791a2d26166f68f9d067cef94

SHA256
7108d0c2019621869754cdbf00ccab8cfc35a8a6d8face7984ea3f714f579b44

SHA512
e675449b2bacc64b0ee64fe8426f06766cc2d420d1ad73cf3f32dbfe492eb944750bf8cf41a7a7ca4fc37deb39b8b1b12c226e4007e974f2637a51b4f9232625

Download Submit
\Windows\SysWOW64\Qgjccb32.exe

Filesize
96KB

MD5
001d908f032aceb780ebc1084b92f214

SHA1
d1baebbc6f0cf635de2e693cf4a1f560a8a0ee4c

SHA256
ba4515f35b1634b7138a86755eca78bc1cd56583bdd79909c5a130e638909810

SHA512
df228186b334902fc6d0779e7f123119af2aab3ba13ec129ff21a82750e21f83d352ef5084e7169bf47a0bc1ae64413f8641c2848affa3c572636f29fa2ac4c6

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
96KB

MD5
895bdfc0962ca459f31f0daa044d3622

SHA1
1b927bbf5e431d4769a9224e244ab922ef05e968

SHA256
8fc01164d073ee9ad92681dd934053347ca54d101bba28632078bdb5d79892db

SHA512
ec57cab0ec32d8efc07b7a6146c41f40556ce69902bd412b4c29c9516c8938ea317bfd6812c31aca9f8c0c4faade741204011a938bc4b9526738b461c39d841e

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
96KB

MD5
03cc7d8cbe40e23000ede382c238ed8b

SHA1
383dd11f63fccdd0c2700b52d7505ada651044a5

SHA256
ce5c421735d6a6681c9a7f602d142118b56920af2892a3d7408749cce56347fa

SHA512
34dd1ea96ce2939969a4878282690f381814ec8775929417c77a1b3b9d34dfa4d9cae80be71afdc86011a73404310ce704aedb71edfa98e640c5d64a36eb381e

Download Submit
memory/848-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-485-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/992-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-400-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/992-399-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/996-516-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/996-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-464-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1132-465-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1132-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-220-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1288-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-314-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1384-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-312-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1408-442-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1408-443-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1408-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-168-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1488-517-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1508-261-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1648-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-140-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1656-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1680-243-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1680-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-239-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1708-320-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1708-324-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1708-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-496-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1744-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-639-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-388-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1868-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-12-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2028-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-411-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2104-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-290-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2104-291-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2152-346-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2152-342-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2152-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-194-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2196-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-288-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2232-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-155-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2520-421-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2520-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-105-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-356-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2668-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-78-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2672-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-88-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2696-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-60-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2708-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-334-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2828-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-335-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2916-379-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2916-33-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2916-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-298-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3040-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-302-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads