berbew | 6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
Size

74KB
MD5

e99e412d51466606e76df70a127c9a7f
SHA1

b6a20a8b32048d8d9e85f85fe2e40c82433598cb
SHA256

6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2
SHA512

6bb372bad7a8af153a293fcf84bfc7194edb5fb24347660f051689eaa951eebed8e034671c0f666446fde18e5d989787196dc836505b018908d80df4ec68f295
SSDEEP

1536:GryLvGj1lLV5j57dgEQvSQu9ys2xTLNPRHVuuDuuuuuuuuuuuuuuumu0uuuuuuuJ:GeLvkljgEQvSQSQNhKqO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 53 IoCs

pid	Process
2176	Pplaki32.exe
1708	Pgfjhcge.exe
2260	Paknelgk.exe
2740	Pdjjag32.exe
2700	Pleofj32.exe
1920	Qdlggg32.exe
2604	Qkfocaki.exe
536	Qlgkki32.exe
1888	Qgmpibam.exe
2784	Qnghel32.exe
1996	Accqnc32.exe
348	Aebmjo32.exe
2852	Allefimb.exe
2508	Aojabdlf.exe
848	Ajpepm32.exe
876	Alnalh32.exe
980	Achjibcl.exe
928	Afffenbp.exe
2424	Adifpk32.exe
1676	Aoojnc32.exe
1808	Anbkipok.exe
2216	Aficjnpm.exe
2076	Aoagccfn.exe
1408	Abpcooea.exe
2468	Adnpkjde.exe
2944	Bkhhhd32.exe
2796	Bccmmf32.exe
2696	Bniajoic.exe
2900	Bceibfgj.exe
2588	Bfdenafn.exe
3044	Boljgg32.exe
2724	Bjbndpmd.exe
1792	Bmpkqklh.exe
2020	Bcjcme32.exe
1912	Bmbgfkje.exe
1252	Ccmpce32.exe
2924	Cbppnbhm.exe
2212	Cfkloq32.exe
840	Ciihklpj.exe
1080	Cbblda32.exe
2112	Ckjamgmk.exe
1580	Cbdiia32.exe
700	Cagienkb.exe
1468	Cgaaah32.exe
1724	Cjonncab.exe
2064	Ceebklai.exe
1740	Cnmfdb32.exe
2840	Calcpm32.exe
2760	Cegoqlof.exe
2820	Ccjoli32.exe
2652	Dnpciaef.exe
2572	Danpemej.exe
2420	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2024	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
2024	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
2176	Pplaki32.exe
2176	Pplaki32.exe
1708	Pgfjhcge.exe
1708	Pgfjhcge.exe
2260	Paknelgk.exe
2260	Paknelgk.exe
2740	Pdjjag32.exe
2740	Pdjjag32.exe
2700	Pleofj32.exe
2700	Pleofj32.exe
1920	Qdlggg32.exe
1920	Qdlggg32.exe
2604	Qkfocaki.exe
2604	Qkfocaki.exe
536	Qlgkki32.exe
536	Qlgkki32.exe
1888	Qgmpibam.exe
1888	Qgmpibam.exe
2784	Qnghel32.exe
2784	Qnghel32.exe
1996	Accqnc32.exe
1996	Accqnc32.exe
348	Aebmjo32.exe
348	Aebmjo32.exe
2852	Allefimb.exe
2852	Allefimb.exe
2508	Aojabdlf.exe
2508	Aojabdlf.exe
848	Ajpepm32.exe
848	Ajpepm32.exe
876	Alnalh32.exe
876	Alnalh32.exe
980	Achjibcl.exe
980	Achjibcl.exe
928	Afffenbp.exe
928	Afffenbp.exe
2424	Adifpk32.exe
2424	Adifpk32.exe
1676	Aoojnc32.exe
1676	Aoojnc32.exe
1808	Anbkipok.exe
1808	Anbkipok.exe
2216	Aficjnpm.exe
2216	Aficjnpm.exe
2076	Aoagccfn.exe
2076	Aoagccfn.exe
1408	Abpcooea.exe
1408	Abpcooea.exe
2468	Adnpkjde.exe
2468	Adnpkjde.exe
2944	Bkhhhd32.exe
2944	Bkhhhd32.exe
2796	Bccmmf32.exe
2796	Bccmmf32.exe
2696	Bniajoic.exe
2696	Bniajoic.exe
2900	Bceibfgj.exe
2900	Bceibfgj.exe
2588	Bfdenafn.exe
2588	Bfdenafn.exe
3044	Boljgg32.exe
3044	Boljgg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Paknelgk.exe	Pgfjhcge.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Fbbnekdd.dll	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Bdoaqh32.dll	Aebmjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
File created	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Pdjjag32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Abpcooea.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Pdjjag32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Aebmjo32.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Alnalh32.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Pgfjhcge.exe	Pplaki32.exe
File created	C:\Windows\SysWOW64\Aebmjo32.exe	Accqnc32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Anbkipok.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1120	2420	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll"	Pplaki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afffenbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2176	2024	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe	31
PID 2024 wrote to memory of 2176	2024	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe	31
PID 2024 wrote to memory of 2176	2024	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe	31
PID 2024 wrote to memory of 2176	2024	6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe	31
PID 2176 wrote to memory of 1708	2176	Pplaki32.exe	32
PID 2176 wrote to memory of 1708	2176	Pplaki32.exe	32
PID 2176 wrote to memory of 1708	2176	Pplaki32.exe	32
PID 2176 wrote to memory of 1708	2176	Pplaki32.exe	32
PID 1708 wrote to memory of 2260	1708	Pgfjhcge.exe	33
PID 1708 wrote to memory of 2260	1708	Pgfjhcge.exe	33
PID 1708 wrote to memory of 2260	1708	Pgfjhcge.exe	33
PID 1708 wrote to memory of 2260	1708	Pgfjhcge.exe	33
PID 2260 wrote to memory of 2740	2260	Paknelgk.exe	34
PID 2260 wrote to memory of 2740	2260	Paknelgk.exe	34
PID 2260 wrote to memory of 2740	2260	Paknelgk.exe	34
PID 2260 wrote to memory of 2740	2260	Paknelgk.exe	34
PID 2740 wrote to memory of 2700	2740	Pdjjag32.exe	35
PID 2740 wrote to memory of 2700	2740	Pdjjag32.exe	35
PID 2740 wrote to memory of 2700	2740	Pdjjag32.exe	35
PID 2740 wrote to memory of 2700	2740	Pdjjag32.exe	35
PID 2700 wrote to memory of 1920	2700	Pleofj32.exe	36
PID 2700 wrote to memory of 1920	2700	Pleofj32.exe	36
PID 2700 wrote to memory of 1920	2700	Pleofj32.exe	36
PID 2700 wrote to memory of 1920	2700	Pleofj32.exe	36
PID 1920 wrote to memory of 2604	1920	Qdlggg32.exe	37
PID 1920 wrote to memory of 2604	1920	Qdlggg32.exe	37
PID 1920 wrote to memory of 2604	1920	Qdlggg32.exe	37
PID 1920 wrote to memory of 2604	1920	Qdlggg32.exe	37
PID 2604 wrote to memory of 536	2604	Qkfocaki.exe	38
PID 2604 wrote to memory of 536	2604	Qkfocaki.exe	38
PID 2604 wrote to memory of 536	2604	Qkfocaki.exe	38
PID 2604 wrote to memory of 536	2604	Qkfocaki.exe	38
PID 536 wrote to memory of 1888	536	Qlgkki32.exe	39
PID 536 wrote to memory of 1888	536	Qlgkki32.exe	39
PID 536 wrote to memory of 1888	536	Qlgkki32.exe	39
PID 536 wrote to memory of 1888	536	Qlgkki32.exe	39
PID 1888 wrote to memory of 2784	1888	Qgmpibam.exe	40
PID 1888 wrote to memory of 2784	1888	Qgmpibam.exe	40
PID 1888 wrote to memory of 2784	1888	Qgmpibam.exe	40
PID 1888 wrote to memory of 2784	1888	Qgmpibam.exe	40
PID 2784 wrote to memory of 1996	2784	Qnghel32.exe	41
PID 2784 wrote to memory of 1996	2784	Qnghel32.exe	41
PID 2784 wrote to memory of 1996	2784	Qnghel32.exe	41
PID 2784 wrote to memory of 1996	2784	Qnghel32.exe	41
PID 1996 wrote to memory of 348	1996	Accqnc32.exe	42
PID 1996 wrote to memory of 348	1996	Accqnc32.exe	42
PID 1996 wrote to memory of 348	1996	Accqnc32.exe	42
PID 1996 wrote to memory of 348	1996	Accqnc32.exe	42
PID 348 wrote to memory of 2852	348	Aebmjo32.exe	43
PID 348 wrote to memory of 2852	348	Aebmjo32.exe	43
PID 348 wrote to memory of 2852	348	Aebmjo32.exe	43
PID 348 wrote to memory of 2852	348	Aebmjo32.exe	43
PID 2852 wrote to memory of 2508	2852	Allefimb.exe	44
PID 2852 wrote to memory of 2508	2852	Allefimb.exe	44
PID 2852 wrote to memory of 2508	2852	Allefimb.exe	44
PID 2852 wrote to memory of 2508	2852	Allefimb.exe	44
PID 2508 wrote to memory of 848	2508	Aojabdlf.exe	45
PID 2508 wrote to memory of 848	2508	Aojabdlf.exe	45
PID 2508 wrote to memory of 848	2508	Aojabdlf.exe	45
PID 2508 wrote to memory of 848	2508	Aojabdlf.exe	45
PID 848 wrote to memory of 876	848	Ajpepm32.exe	46
PID 848 wrote to memory of 876	848	Ajpepm32.exe	46
PID 848 wrote to memory of 876	848	Ajpepm32.exe	46
PID 848 wrote to memory of 876	848	Ajpepm32.exe	46

C:\Users\Admin\AppData\Local\Temp\6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe
"C:\Users\Admin\AppData\Local\Temp\6d8a8db6c48c80279f7dd77b4966accc82fd844c83bdc5f8f6d24c99211719d2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\Pplaki32.exe
  C:\Windows\system32\Pplaki32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\Pgfjhcge.exe
    C:\Windows\system32\Pgfjhcge.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\Paknelgk.exe
      C:\Windows\system32\Paknelgk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 144
        55⤵
        Program crash
        
        PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcooea.exe

Filesize
74KB

MD5
6cb46f8c6a4ebdcb4e4a745abb55c72c

SHA1
4f61765bf0ad84d6d6a5a35c63da4f4afba13607

SHA256
a9095f1cdf89187f2d26a5c55c2189286908524884b4e9a6aa9ea011b7d2598c

SHA512
6cf135899ea4f5db5ce826ed7af0da15ec0456a6624b2f500d3ff45d8e136cea111ef6413e06e74f617a056babee58475acae218f64e01b29675945ff10ae631

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
74KB

MD5
ee8193ad57dc9009e0ee8fd5bb41d0c7

SHA1
573fb2252c0a1abfd01dfee690b390afa877eb38

SHA256
52b2f5c2965a6525aad5f5ce7506703f4982325faa3767d8d73207061b3092d6

SHA512
d4621945971eb8bab9c689e93aa230fc300bd2fa52ba0a3b5c1be952e806aa8e2febffaaf7fcb053d5c5a905b34221f9a4fda1b2ab92e48f64a78019fa94a598

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
74KB

MD5
95a5f8efdcd2c136929054371e2cd522

SHA1
c3ccedf297838d91a8ab075f8763cde6321faef2

SHA256
b831194396b637b80fbb6371f9de751ff8e09d2023743e79f9aa6bdd238dbc03

SHA512
818b7d3fd9f7ea07bdf5a4c52036da046cd489c5e8127733018721bfd82bd05619d83d2153b4bfb8875835e0187052973f99f9db382fb7b5bf2f5db832d4fc16

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
74KB

MD5
59a030a9887b4515cc195a0a28297128

SHA1
811e9a0d9533fc07a64727e4ddf608be9f7c37b8

SHA256
c8be9e2aca1c64a48d68fd6e601d1c7ddeaa62719a36c0e44f449976ade1d788

SHA512
021625a050786564503eff974f45d50ef3f16322100ae5f41c7f4c035f9cd4492b0d8e42c33e7aa268450f5eeacc5d9f545b34675fa8a5a2041112757f9e05ca

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
74KB

MD5
5b4de2d92f21026ad521606669ee63ae

SHA1
8168b8063a0ec55de6eb0f815a02f3b87dc64799

SHA256
7f377c6da494b55b61296a8ddfe44f4ce4fe5caa3c6cc325286c7222407be3fd

SHA512
b0ac2e48b1ba3f16e8b4d6b95272a1a6db0f1460dce3da523e724b33ef29a4356ed3be70dc866727217bf9d457545a07cf1d0cb8b57df2816f85097f5397a08b

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
74KB

MD5
431dcad5e98b9bea72e619ebac1c58b1

SHA1
1a81b0775573418fb19f947cf1c5677537ee3fd8

SHA256
4ff84519b5c534dfa9226bad3ddf138230b800e3e5d0bce17c43d122298df139

SHA512
c7e14021e3014a01d9dd8c19cd04ddc7709bf655426177bcc82799d6c0a31c9bb89cd0e8b47d8b5bd3a367261bf0e9c287aebb9bcc220d3122890b07fe4a536d

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
74KB

MD5
ce9b5e52d06e9cc7968477082a4120ce

SHA1
5b8f7a0b631e62789c07a7a634761bd432d22863

SHA256
7d8489cac4b8cc8784f19d3b47ece487de12acd6dde7770ffaab843ba3b22027

SHA512
a148464750b15efc9d98c9c73659c001e0ad03fcddcfa216789e639aed5b80cf158a1c8c029575e5fcdd59815a7da2c8f8b5248e42c40472c40ff86502bc0c1c

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
74KB

MD5
a2a091ade54bfcd0dd427ba1baf3ee23

SHA1
78b36d52ffc45bc908a3de9229fe40ea0b697ead

SHA256
d12e589f25e833f63e6b46b322d82d4b9fb3ecec547bb3eb399772bd87a1e8bf

SHA512
dbf302d441eb1d0b47bc771aa9c9ebba5ea147ed716bee07a2ba6e887cdd8fdb84676cb16f3aab39fecc5d3446b8dc06c498ffd87e02e1e1afe13055b48c9d4b

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
74KB

MD5
c4540e02b75180e92c5531b5d1aaa7e0

SHA1
55de8b1ea152c067953493e143a98dfed7cd8e6b

SHA256
950ecf111f2d241cb6bb815dc26c54ad791dba13b9dbd753ac5e6c56bfe9fc2f

SHA512
dc46dec9cbf2f6ff7416f4302ae0ab2e0c34e4419bc987573e24b14ac3aa79aee4b68eafc5a36343bc2f19976b9760efef63cf63c0d15947da8dcd703547f3fe

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
74KB

MD5
2daa7ffd431ef159e8901d4ca392085f

SHA1
bbb775dfe31710eac35cd900f5565a2b43509fe4

SHA256
e90c647cb64c02153e4d10bd71cad85ce9de714676f67072982195044a30bf18

SHA512
8fe1392fa7916c4a3bb1ba7d8a6e333398e7458b2a206602e3950b19c12091ee5c8f2f649813d591fae679d70f9b08ce4d1415ffecfca8f67883723c8d314211

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
74KB

MD5
cbc9afe008affd31a4b63336c8f02d68

SHA1
5964a0bd561c8f6c5f1a8678e16cbe5a81ba0051

SHA256
86bdacdc0f3ffedfda18f2e678402bc73e3cc7e185277939f7d7b044475dc1ea

SHA512
d2e8b450b9002edeeed2587cbd340934cab9c8ce80a59c0b03a7ce354c6ace83116ba7a54884bd3f833c727716633df302c2ef023024b65697ed089b136a949e

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
74KB

MD5
258459153a18757ea987a6b31a77ab47

SHA1
aeec8d18eeffcd2d1f44fb0d740eea19efe2eb33

SHA256
d20a7a2d585e6f3d940d1b36ae73fbcf05124821918a522ba4a5d9631c9ab4db

SHA512
8a5a21c2af4fd2fa3b024dd22be0061eb13503b7fd2279793ce2d7c68bd53e5710be8763923c34af24298f4b9d98f564633639027d6231217afdef12446ae10c

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
74KB

MD5
231189e54ff8348bd9d8d77e76dc3b04

SHA1
f86d7d522cf8cae16dd19eaec30bbf7adfe48bd8

SHA256
2c174f236aefe649302fc90af7bd701f0adc676fe427be76460a9d32933940ad

SHA512
51808a9d2ba58b04c2aa99b184ddbe7c13ba586268e0cca9630d98e41e3cef14218a3b41a2182c2c9252f5c3b4b01284d8d1c5e50e88b2fc9c101374e0a947ec

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
74KB

MD5
84309ab4a7c806e14385cd78565266a3

SHA1
0942015deb61c3c592afa9f1902b35bd48307776

SHA256
fcd97225d848dfd3aa749ec8a4698d855d7cec42b83c38025e01703f8f73109d

SHA512
92bf972b770e273f3dd08e23bdf9bfbacdeedec886d3ea36ff702512d1667f76c2475b78e2db5d57973df284ca603c1a92160866baf188c271c97eb3e0571bfa

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
74KB

MD5
f55033217a7e3e828f6360c5731e0faa

SHA1
80bf16fb1da8f78839702d3db51a4743f933ec5e

SHA256
8d3de6485246965cbc82e7f8ddcbfbd32d1943ddcd4217e2fda36fdea012ab6c

SHA512
da4b2d1cd9f7cb35ecffe821ef7dc25c000f2bc2d1675a758595c5e231a6c9a2d6536880b76c02adcd0956f3c463adb84f7f7b3d4e8d845c7877b73dd7ef2553

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
74KB

MD5
44b670423dd0c5e0fddbf6b7a22de7a6

SHA1
4c4e99560821c85b3575d3866ecb25139b07bffc

SHA256
fc2b08bbdbb7738c042af7e41c78e70871621be20124916c8da365196c8f7b49

SHA512
3599a25db8a372ca5107aab375212da9c166cb820bf98be3bb30149817a12f73ab8c17698760a6de1135122cb4c2e8bf790232543015d1a771135a302749b564

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
74KB

MD5
8f69b5258b54160a7ae90710c8aab13e

SHA1
a9fd0ff77d4c98cf157e432ca4175c7fde3e35e0

SHA256
604e72caeb6d758390939655cef24b7b14676d9ad3d69dda80000d3c59c6af69

SHA512
a28edd4493882eb9f0bfb0e2f1d6c5aa8444f50b38b0c56b9ec0cdc13e828fc82410b9a5941c4dda09935de701b1a980de5f06317aa7daff0e9a27cdee0806b2

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
74KB

MD5
253e43b6baac2f572e3a21b725ecfeab

SHA1
efae8577195c20b3c01d0427b01885b523c53454

SHA256
6e2f9583cd334951902df5790b15d1e26ef9db9fbcc290e5229c341e3cd97075

SHA512
ed0481d2d8b8cb0b36feec29f16f7159cac7542ec62458b84f6ee8f3325c8d92ff01d1a4175a74a38fb28c7c9b1c4a80e6af87edce7bd9b7d931d0d8226d529c

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
74KB

MD5
93dc5ceb90153656c053b99d2f5f9160

SHA1
629b8a3fad6f83af7f282f8c30da4e23fa351fbf

SHA256
d45cf0f51028d788d80d24f5f7b32c6abd59022498be886380a0ccf74c93eda6

SHA512
61d06d5768b844dc02e4c31dd9361444ba9b1b1a3aa39886583541cae75dc156a36561bd7cb599a6279358fa1396a98feebbd259e5b541eb4040db9524d778db

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
74KB

MD5
c3328c07fe9e7b4771615738e6f0ac05

SHA1
a8e55d775588cba2b0a3ec2d7adea0c2dabaac7d

SHA256
49e4559d85da211fdf408b12edf620f63b6becfbde4f82f1a0d837d90749271a

SHA512
96959b09ec4dc6f16ab6d5683d25cc736290bce7252be2a10b5cb4f8b5e964dea8611fc6975bc6b5794a358977210bf3a4761228a94bf638ed305c29858a1d2d

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
74KB

MD5
7d9982fe3fce6fe9a5bfd01da9edb743

SHA1
394998632053781311c373eb4e8ca5ce6e9e108f

SHA256
616c9defe53bc1b3c0d335a1d87d89bb35dcb281aff39b84336fd78dd73b3ba4

SHA512
d871b2010981178103fcc5a0678596114b7ebc1d3912c97bb45e12f5addeb7a646fa2036edca79d803fd24d5e300c42e08a0035ab8135bc3c7e35a1f4ad77a73

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
74KB

MD5
3377369de100e70e393d3ea8ed7814c2

SHA1
1aaaeaa957b48eba0ae4e76a97ba5cca40ab7969

SHA256
9a0ee8a4cf15019da674efa733f3d0f0b40e88907f97f46acfbb761e2db612d2

SHA512
72308044ea8dc729e096224ce3b1b876359e9a1fc961a5cb35fca3910f6f34b3ec9fec70a76f443895dc3c65994946eaa08eaf6edc1f3eb7e5178500b9882c14

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
74KB

MD5
b1f5ca1592cdf35b31fd4fed5983aea1

SHA1
5dcf50bcb266b09bdeb4f077841445749570d97b

SHA256
60c22df855acc545b1ca0918cbf8e0efc2b46026ab3e01f0712f2b1d5046b58b

SHA512
87a76e059c09d196d8c5a0e1b3248bc34375b45e75cc64b944603b331af0eb3247a8aa1427949a8fb7bbbab0ad8f8108e88ccaad7fc4d52fd3acd17fe76fe557

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
74KB

MD5
f5827c8a92f7eeb29caf6d7461abdac8

SHA1
d7878475d6bb777b77ec208e9bd7f923958aa6bd

SHA256
373c2d48777d2b79ff6f15bc2941de21faf86c95e95659d256c7b201b85efe25

SHA512
a4ef0757fc20b4fb1a3f6631f1ae4697f63fe0a057b329381cd5371da57c675f924d02c451411b120c67dd40b0b8b89908a26eb0568e83972617cb59a9e722eb

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
74KB

MD5
0b1cdd1600e79fcd9c61382f3594e2c9

SHA1
6c6b4de9f2013194ea678bc44667da5e3161582f

SHA256
1ca492e2ebc90468e6be756455c434e140d7bccd31d8ffb9eafe7f47a388704c

SHA512
6ed3cb4db18013192d9448789d88f7538e13b0ab4a619a6e805212c3186c64e6466c13acd74e550bbf3780edf05dec682947955fbbc8c589553e79701a4ff9c6

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
74KB

MD5
94838f2d5db58e1a2569924ccbe8cd03

SHA1
669c64aea3e566134be91915bd75548592506810

SHA256
432879553dd1d3c7655f768b7718144f87a99e9104c20ee4b5dc9c4e50bc874e

SHA512
4adbfebab4e50ad338bc89fa0afe3f39946251aaaf1b3cce4b848774ad8949b28689b4b226d65796c375f7edf25e535e4605a8a95e4b87f9a606c17834cdd161

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
74KB

MD5
4114e241219dee797db1e2a10288e2ec

SHA1
dc17d375b07615ed2178977b1dff6a17291d1d92

SHA256
529b9356fd726c34181593086f87e86e196bc38fc951c732a051b7070b9141ce

SHA512
ed00abfecc43cb5c05c2a2be45640a0a73ec0c5b9111b6f829c5f1721b744dd458485f0f9a25926f76461d594a9a29f08015029d058114db739bcceee12a0645

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
74KB

MD5
c61bfb2ccb9961ad3cb6afd699b7b5f0

SHA1
2270b420dd735fa417dafcc32f2957b04178dfa0

SHA256
7e2bf5ee9c676c34b1aa180f664160ef554f49a702686f8a2a45f3ea9f473137

SHA512
4053cca8bc1a13f0c8ce7593b4b8608908b76434df546529bbdaae065139a5403d8644ce7183e55bf5826781ac7a436833db3755d2349b0739359451d4176a1b

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
74KB

MD5
42f1d943f440272cbd3bf64ec74c2160

SHA1
ef8e2c180d796e82560a1e787c3aff842a16d16f

SHA256
4868161502397f0ffd09c6baeb9bffd7e3af54a650282908a68d290126979805

SHA512
e9e60a879813381a3e55a7f4b5033e7ce2bf6f81e16c71f91b0c33c27c51c473c895f7037a9861fcb057b477d8f14a6d1a39439fb12d8591038a95da3dc00a2f

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
74KB

MD5
40b48d63a3a204e35c44c76796f9dd22

SHA1
0dd808f548ca7cf679259d2d0eb6ea80fbf8198b

SHA256
dd8791d20dd533f3fbedc028ce912c9bc37f6e7b484d75251ffa0f4a69773a95

SHA512
9441139336a8fe71818ba9a347cc768298fef7c0e7525ca75e9929dd3fff4cde02e46ad2bf49b9639e4b64bc5772ee8a21d811c02018b71ef3b1238c4401b17c

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
74KB

MD5
691b169e70804106967a1c27f0160ca9

SHA1
e00a3e8bb2557f90b827147dcd8ef62a5d4a39ac

SHA256
58d02151eed735c85b7eb92e0f8f64a7ccd31ea759674111bf2e181cd7612e93

SHA512
a3892eefd16ef357b145e721f21ecc23483c9aed3d30b3fd4425409707b1cb3d162f07c9ec140c8b141ec63e27a3d97fd9f97f6d89d1e787ca6c59edfa017b2e

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
74KB

MD5
12b9316ff8aef05ebacef50e38300552

SHA1
d71dfb43ffd37e916d33885a22da67d0d357cff0

SHA256
d53d8a0650f8cb2d80ccfbf121740902902bc3811f6bd332d059b2e079e94785

SHA512
8c3e5d3a13274f03b03110751bf4b65e2a4ffe2167f4b00a53bbf0f4e5db8fc2e0cd81a80cf4c8388222d2cc845aa4c05b1656a45dd3859d6cbd767f58e7ad09

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
74KB

MD5
aa1fe04baece41380daec75cae325ce1

SHA1
919459a5bdcd4156f163832b85edf1dfd4580fab

SHA256
3a375565f566f0cec554db33e8aa41256a8705c38f3c7223acf729c3bee88277

SHA512
095264b4fb4ae7247cc5313f89f51f66d4f95b62f447af618319efc2214b6a961fc46026d9361de3828b89c680e8e040bd717d8b9dda6a8428118e8b7468f092

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
74KB

MD5
856d790dd6baa7c6ef478097e7563c2d

SHA1
fb5c0337e7922a682c0ae811a26b016025915948

SHA256
94062f342304c6bba3fd4b20db475d2f6a74456ab54f6fdffd41b0c311812536

SHA512
b7a89b4263ba791b91974bcdc01c48adfd1ae0540eaeeb0aaa8abc7507e2ebb4ebdebf05d9e5447a65b211aae0ce1bd3d15df11d456cc0aa4b6a75e4517e93f7

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
74KB

MD5
23df03bda9dccfe1e911106cdeb0a8bd

SHA1
044586f666ad00888476c4bc0738ba0877774afb

SHA256
14d83fef06ec34fa69c38c44674bab2aa151e3ea3efed49e1286663910c93920

SHA512
4d4f06bb037adcd4a9deee8f9ecea861813d4baa7a24f1a58ae1ce13494d27fcb5db8a19c3f5f1ee5722dbb16932b5d13b089fef72499347294f58b145bf6603

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
74KB

MD5
522348922d8422aab773935b37603800

SHA1
24d869f33d08b96f5765c193d5a89b71c698668e

SHA256
d8d348850598b677b31bc53042d89dbec178fc0beb678aa3f0713a2bc39ba26d

SHA512
e3c085c75706295b7f37d430148a8f7e27e229ffdcf54de0340987aa20129b432cddf85fca0e845e48ea19baf217bc9056365a1fb987b37df2b1ed8143eede4f

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
74KB

MD5
7cbbb13b6766af9dbd1f8ebd7d67e56f

SHA1
1e41b9be27b78742946c4225fddbec3c0b8485c7

SHA256
4e31bb45d6785fbdca099556b623b00ab45cd94f1f859e6262204129b2dedbab

SHA512
08a8f5f4109bdf20906ba4431d2783f8c6655bd1593e7d6d9ee8ca844631a329a75ee10e8838d0c49e26e0398f32cad5272c0398d1b909cf71383ee350da9c69

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
4e9590136ef2f2e25e6b415515f4ae6e

SHA1
603a02ea0151b078293ee6a48808e4249eb107d9

SHA256
25a386f6ee9feead8d7966f7ace090767fcd1d801e426ab2d7dd276acbb7fc0b

SHA512
d59527b9d42fa6295863b2b823596f54f9d3a728962f99986cfeafbf0292461a07347887c21096a5a64b21d1b2180b85bdb408d5dbc121113250b964c35de81e

Download Submit
C:\Windows\SysWOW64\Nlbjim32.dll

Filesize
7KB

MD5
14545ec1d6931b4b87fb1469ea7beb9c

SHA1
b7898e74d7de7ae5335ca81d49011ee53dba11e5

SHA256
e8042f80d9344fff88edabfe96ab5652dbcb6ce711deb1c0d724275658fdef50

SHA512
0dc5fd6ceca5d9712e3deec4db509e47886db664acef144831be10138bf05696ced54366345db78426832b4fb187afd7bb89629e5e476fd7be8a0e3829b8d1eb

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
74KB

MD5
18dcd9489d4f02df7ad83fe2406a5add

SHA1
c7c4442f204198dae6d360c817ccd1a12a97135a

SHA256
c110ca773d1e7e713590fa0a13923bc7e4f428c8847053d867116873c9312570

SHA512
a1a6fd7e996b2d519162e94b38c91f9644f8c059aef183ecd048a2fff5cb59acc4ed10bca0bd26f5de7392a9413256d57590539efb099c389d2441ac07813963

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
74KB

MD5
57f649a85acfb0488eabbeb79dbfdfa5

SHA1
0f06ee9cbb80a6c524bce3396b7ea67343266bdd

SHA256
9fb335332d9586b26a04c8fb9705e2f092d7e6bd50e637c1c0543443cb1c5007

SHA512
65ab65acac55a13f1052d89ba3d937ddb981804f11df56fffd5f3426bb565b002078eec16169cdeaa58d63aecf8f067e16bcf5a354c631efe7f480a694cf44d3

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
74KB

MD5
badbb122c2641757f7e5305d7e9920a1

SHA1
8c300c49c70cb786bc054b7c5a5de88b2614ba4b

SHA256
6efe8c87b633cb152afa1d58aa1b8c6ebde56c59970e8cbff154850156c92fec

SHA512
4672ec8a7b6ed7806c6ade952f12a14fe007af1b2733a6e4aafca5052da0804068108505974cf31d4b8eb03c44b48c53ef935ee5fd87a09bf1278c92b17d8ae4

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
74KB

MD5
ba476c9867ace79e378c3d07ad518dae

SHA1
223e0f90079200610b952a7bba04c27e07c2d2b7

SHA256
ec52f00b97d44c233c51b6ba8c9c46e45789d604bf05f8c194863435e7982daa

SHA512
10ba221897f514a9cd49d50945343d7eae61481e5d50727513dc0b7aed66e91957120abe6dcef734e732b0c767eaccd8eb1a6fe6318efe9958e7aef1130cc86c

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
74KB

MD5
eb1131b89ab829e2ae8c2a4b92c22a70

SHA1
666252e38fac957d7a6ebe745a8747e3e0fe4e1b

SHA256
728720ba4101eef658ae3e2335896cdbd8664a51a2036f874bd5a1fcf00d453c

SHA512
5e108529190f562f439c19fb920135e7b65ba7313a70a4f4282dcb64c3638e73a2f45baae77978e381b4b439eabed2813e58221b5249200061866bfb15e27811

Download Submit
\Windows\SysWOW64\Ajpepm32.exe

Filesize
74KB

MD5
e4d4d16e8ee08171f0591916c0e617fd

SHA1
5512b5a71bbb0d776704921b8618fd6d6acc9db4

SHA256
021ca130b84e4703df083f9f3ec3f1f8adbfc15e992f7474e7aa51f01ceaf41c

SHA512
a6cdf16a47f8ec0246a155ebfbaef42171180c2e82b7401af195426f776fcf944f523912ce2e66ee8711d5b3c5ddde77c655d89dbd2b358509be0de4201939f2

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
74KB

MD5
c629539a5f420bc964bd0324c5e7eddf

SHA1
838a77b3a97ca72ac6cc8ea67f869d4237ec1bcc

SHA256
64f5924d9cb49ce00d18eec9863bc6825231a99b121b3c842f2fb21b6515cb46

SHA512
a7dc3570be3eb46088d70c0a3d1abeccd18f06a534de86d87989bdeb8f6e1a442308d8b9aee95a068a337ac4f8d568a94002da97ad1463b1582a97586b4b6c0f

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
74KB

MD5
f9e235bdd375dabc4e34b7ae3972c17d

SHA1
d555ca2b9c6b8610c83ffe447a979bf00b0ef0a7

SHA256
960567a1cc404c47252bcf1966ad66fdb2ac9c6f37306eac80d14d206c71740e

SHA512
fea05e794282509d7a6862bd17d57941d1d98bc20c6d50c88cf426f64b05dfec26e94311c3870e789b76ce03ceabf0f126fa428623e2a6f339248a36ef910bdf

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
74KB

MD5
1b0a966e048b5ff94c8705b6fe2dba19

SHA1
24bb7b5cd8b527156864f4fe4eb76eb326ef199e

SHA256
800293de7683bbb1d73550f63117c6299377ddfd65bc039c05c4c9cf4e6dcf84

SHA512
94ef642359a7bcf75009efe5ba3d2fa3d09b49c03b92a332b4efe32b2b3dadf5b753cb9d0a79d46fbf7a26357a815aecc7fcce8afbd344edb59209fe597e5549

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
74KB

MD5
b5485ff1496efc7ff30ebf19e89abc51

SHA1
3d08b3f694258b4918b104eb47d92fb6787f5db4

SHA256
74e6133152c2c64a8754254fa8c62389d791f009a0b2ee3a451e498b3433e008

SHA512
63aca1e927759092bf01e11ca1786331abe37ccde3fd0c5ae0b4bcc610466117ca9e31651d6af3830350b3ba2a4d88edf7369667c0c05aed0f8083524b89460e

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
74KB

MD5
e8c0b89432cc06b6d95f839c264dfa9c

SHA1
b19b03d83607698449ead50b346f7421b653780a

SHA256
2a5f5c385dc6fd682c0d0e96ffe9ff5dca2a0391528b73f44ddb87dac76f98af

SHA512
279eabc10d8ea7b08b092505d1b7af0dab844b45a70c9c6e87a010b2ff703cd6b8081779968d91b5e0ec944ed7a16050dece4dc5411a82be69c3f3734e8d06b3

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
74KB

MD5
65eb2b3fdabaf1bf0eec4ffcd5196643

SHA1
9b362c14b32fc535d3636b8c65ca41019304cb4b

SHA256
a2d67de47e646340400ed8fae502d4c3e7fd73d6e83a47c60e621b09ee9e0232

SHA512
f1fb2cddea9a8540770eefde3f2601af0278aded8a2b454bfbdcdba17b715cf42f3fa26a657532cc1bd8ddcb8c711a012edb87f6a46dc276f3e9f3b3a84f0ba2

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
74KB

MD5
31f35e5bdb5b463f03bb862aaf1f4899

SHA1
a0fe7806ad19fd937a52e189df46e024b3d8baa7

SHA256
f47f3ec69491b19be73863543f16ce890020db50b622c63582e9f1d5a1e95556

SHA512
77d4517156326f6795b9863b56e2d54575078544c4a13e114069032a73f0be88b27469005a39eabd1660428b8e576809a1734dbe72095c13f8c18e8626219bc6

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
74KB

MD5
3123617b3f8a7345b21204284bb7fd80

SHA1
fb409db5e36eccf9a3f4efc2ea798a5c5f4b9c44

SHA256
41fe6b602c9c288c3395cb89992937b38a020d7eeee3e60cc7ac4902f70a130f

SHA512
aeab3fbe4cd517581a63753e04c0620e147420b174368cce6a83965dddad0a7f1ad7b913505ca8324f7957b93314e30088608d3082f31b89952022cd89f3eefc

Download Submit
\Windows\SysWOW64\Qnghel32.exe

Filesize
74KB

MD5
93923372ca33f6c5b9752db6062428b6

SHA1
6d6e660a7b2e240db9257400e62a3bebb3ce1b6d

SHA256
1720f769c98754431fe89b07bdc465d07fbd53bbd0917ef5b929de674f7a7fd3

SHA512
497f2f68dbbd6a8927a68321e9c079ab6b7f083deb201a8adeeb3071574e0fe054cfe9f1ab39c9085b2e477df5d54dba717579305686dcf6e5a513102b35a6fa

Download Submit
memory/348-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/348-494-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/348-167-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/536-114-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/536-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/536-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/700-504-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/700-499-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/840-463-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/848-210-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/876-219-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/876-212-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/928-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/928-238-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/980-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1080-474-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1080-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1252-420-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1252-429-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1252-430-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1408-299-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/1408-300-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/1408-290-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-515-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1468-516-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1468-505-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1580-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1676-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-377-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/1708-26-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-367-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-38-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/1724-526-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1724-525-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1792-396-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-269-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1888-462-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1888-123-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1912-409-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1912-418-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1920-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1920-87-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/1920-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1996-485-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2020-399-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2024-366-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2024-15-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2024-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2076-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2112-475-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2176-368-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2176-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-453-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2216-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-276-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2216-280-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2260-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2424-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2468-311-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2468-301-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2468-306-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2508-185-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2508-193-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2508-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2588-362-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2588-356-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-93-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-343-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2696-345-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2696-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2700-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2724-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-397-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-404-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2740-53-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-60-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2784-473-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2784-133-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2784-141-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2796-333-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/2796-332-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/2796-323-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-510-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2900-355-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/2900-344-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2900-351-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/2924-441-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2924-442-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2924-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2944-322-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2944-312-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2944-321-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/3044-378-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads