berbew | a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
Size

160KB
MD5

78fba3aee01125ca456b72bb6f249be0
SHA1

dfbfbfbb1ecc21ce408b18ca8271f97d9b51aefd
SHA256

a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd
SHA512

5734bcec9afc24cdc4d3b2b7335e0a27e58162925e6b891024b8691dec77ca7eafa9f84cf4298b4d4fac49946b148a8cb37ad240391e4e45e5acbfdf4d58fd9b
SSDEEP

3072:0Ai/m+sm/H6pXE1yK6gb3a3+X13XRzrgHq/Wp+YmKfxgQdxvr:0T/mwaFrKz7aOl3BzrUmKyIxT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baohhgnf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 52 IoCs

pid	Process
2132	Ohhkjp32.exe
3020	Okfgfl32.exe
2644	Oqcpob32.exe
1984	Pkidlk32.exe
596	Pdaheq32.exe
2916	Pgpeal32.exe
2088	Pokieo32.exe
2540	Pgbafl32.exe
2972	Picnndmb.exe
2868	Pqjfoa32.exe
2348	Pomfkndo.exe
1440	Pmagdbci.exe
1296	Pbnoliap.exe
2556	Pihgic32.exe
2212	Poapfn32.exe
2216	Qflhbhgg.exe
1904	Qkhpkoen.exe
704	Qodlkm32.exe
868	Qiladcdh.exe
1392	Qgoapp32.exe
2388	Abeemhkh.exe
1992	Acfaeq32.exe
2672	Anlfbi32.exe
2524	Amnfnfgg.exe
1092	Afgkfl32.exe
2624	Annbhi32.exe
2328	Aaloddnn.exe
2256	Ackkppma.exe
2988	Apalea32.exe
1888	Acmhepko.exe
1228	Afkdakjb.exe
2964	Acpdko32.exe
2772	Abbeflpf.exe
2912	Bmhideol.exe
3040	Bnielm32.exe
552	Becnhgmg.exe
2792	Bphbeplm.exe
2008	Bbgnak32.exe
1628	Biafnecn.exe
2356	Bonoflae.exe
1956	Bbikgk32.exe
2552	Bdkgocpm.exe
1324	Blaopqpo.exe
1712	Baohhgnf.exe
2268	Bejdiffp.exe
2656	Bkglameg.exe
2464	Bobhal32.exe
2784	Baadng32.exe
3048	Cdoajb32.exe
2704	Cfnmfn32.exe
1480	Ckiigmcd.exe
2508	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2848	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
2848	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
2132	Ohhkjp32.exe
2132	Ohhkjp32.exe
3020	Okfgfl32.exe
3020	Okfgfl32.exe
2644	Oqcpob32.exe
2644	Oqcpob32.exe
1984	Pkidlk32.exe
1984	Pkidlk32.exe
596	Pdaheq32.exe
596	Pdaheq32.exe
2916	Pgpeal32.exe
2916	Pgpeal32.exe
2088	Pokieo32.exe
2088	Pokieo32.exe
2540	Pgbafl32.exe
2540	Pgbafl32.exe
2972	Picnndmb.exe
2972	Picnndmb.exe
2868	Pqjfoa32.exe
2868	Pqjfoa32.exe
2348	Pomfkndo.exe
2348	Pomfkndo.exe
1440	Pmagdbci.exe
1440	Pmagdbci.exe
1296	Pbnoliap.exe
1296	Pbnoliap.exe
2556	Pihgic32.exe
2556	Pihgic32.exe
2212	Poapfn32.exe
2212	Poapfn32.exe
2216	Qflhbhgg.exe
2216	Qflhbhgg.exe
1904	Qkhpkoen.exe
1904	Qkhpkoen.exe
704	Qodlkm32.exe
704	Qodlkm32.exe
868	Qiladcdh.exe
868	Qiladcdh.exe
1392	Qgoapp32.exe
1392	Qgoapp32.exe
2388	Abeemhkh.exe
2388	Abeemhkh.exe
1992	Acfaeq32.exe
1992	Acfaeq32.exe
2672	Anlfbi32.exe
2672	Anlfbi32.exe
2524	Amnfnfgg.exe
2524	Amnfnfgg.exe
1092	Afgkfl32.exe
1092	Afgkfl32.exe
2624	Annbhi32.exe
2624	Annbhi32.exe
2328	Aaloddnn.exe
2328	Aaloddnn.exe
2256	Ackkppma.exe
2256	Ackkppma.exe
2988	Apalea32.exe
2988	Apalea32.exe
1888	Acmhepko.exe
1888	Acmhepko.exe
1228	Afkdakjb.exe
1228	Afkdakjb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Jgafgmqa.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
File opened for modification	C:\Windows\SysWOW64\Pgpeal32.exe	Pdaheq32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Aohjlnjk.dll	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Amnfnfgg.exe	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pgpeal32.exe
File opened for modification	C:\Windows\SysWOW64\Pqjfoa32.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pmagdbci.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Okfgfl32.exe	Ohhkjp32.exe
File created	C:\Windows\SysWOW64\Nlpdbghp.dll	Pokieo32.exe
File created	C:\Windows\SysWOW64\Lhnnjk32.dll	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Pmagdbci.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Pgpeal32.exe	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Pgbafl32.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Acpdko32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ikhkppkn.dll	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pmagdbci.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bbikgk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	2508	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2132	2848	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe	30
PID 2848 wrote to memory of 2132	2848	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe	30
PID 2848 wrote to memory of 2132	2848	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe	30
PID 2848 wrote to memory of 2132	2848	a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe	30
PID 2132 wrote to memory of 3020	2132	Ohhkjp32.exe	31
PID 2132 wrote to memory of 3020	2132	Ohhkjp32.exe	31
PID 2132 wrote to memory of 3020	2132	Ohhkjp32.exe	31
PID 2132 wrote to memory of 3020	2132	Ohhkjp32.exe	31
PID 3020 wrote to memory of 2644	3020	Okfgfl32.exe	32
PID 3020 wrote to memory of 2644	3020	Okfgfl32.exe	32
PID 3020 wrote to memory of 2644	3020	Okfgfl32.exe	32
PID 3020 wrote to memory of 2644	3020	Okfgfl32.exe	32
PID 2644 wrote to memory of 1984	2644	Oqcpob32.exe	33
PID 2644 wrote to memory of 1984	2644	Oqcpob32.exe	33
PID 2644 wrote to memory of 1984	2644	Oqcpob32.exe	33
PID 2644 wrote to memory of 1984	2644	Oqcpob32.exe	33
PID 1984 wrote to memory of 596	1984	Pkidlk32.exe	34
PID 1984 wrote to memory of 596	1984	Pkidlk32.exe	34
PID 1984 wrote to memory of 596	1984	Pkidlk32.exe	34
PID 1984 wrote to memory of 596	1984	Pkidlk32.exe	34
PID 596 wrote to memory of 2916	596	Pdaheq32.exe	35
PID 596 wrote to memory of 2916	596	Pdaheq32.exe	35
PID 596 wrote to memory of 2916	596	Pdaheq32.exe	35
PID 596 wrote to memory of 2916	596	Pdaheq32.exe	35
PID 2916 wrote to memory of 2088	2916	Pgpeal32.exe	36
PID 2916 wrote to memory of 2088	2916	Pgpeal32.exe	36
PID 2916 wrote to memory of 2088	2916	Pgpeal32.exe	36
PID 2916 wrote to memory of 2088	2916	Pgpeal32.exe	36
PID 2088 wrote to memory of 2540	2088	Pokieo32.exe	37
PID 2088 wrote to memory of 2540	2088	Pokieo32.exe	37
PID 2088 wrote to memory of 2540	2088	Pokieo32.exe	37
PID 2088 wrote to memory of 2540	2088	Pokieo32.exe	37
PID 2540 wrote to memory of 2972	2540	Pgbafl32.exe	38
PID 2540 wrote to memory of 2972	2540	Pgbafl32.exe	38
PID 2540 wrote to memory of 2972	2540	Pgbafl32.exe	38
PID 2540 wrote to memory of 2972	2540	Pgbafl32.exe	38
PID 2972 wrote to memory of 2868	2972	Picnndmb.exe	39
PID 2972 wrote to memory of 2868	2972	Picnndmb.exe	39
PID 2972 wrote to memory of 2868	2972	Picnndmb.exe	39
PID 2972 wrote to memory of 2868	2972	Picnndmb.exe	39
PID 2868 wrote to memory of 2348	2868	Pqjfoa32.exe	40
PID 2868 wrote to memory of 2348	2868	Pqjfoa32.exe	40
PID 2868 wrote to memory of 2348	2868	Pqjfoa32.exe	40
PID 2868 wrote to memory of 2348	2868	Pqjfoa32.exe	40
PID 2348 wrote to memory of 1440	2348	Pomfkndo.exe	41
PID 2348 wrote to memory of 1440	2348	Pomfkndo.exe	41
PID 2348 wrote to memory of 1440	2348	Pomfkndo.exe	41
PID 2348 wrote to memory of 1440	2348	Pomfkndo.exe	41
PID 1440 wrote to memory of 1296	1440	Pmagdbci.exe	42
PID 1440 wrote to memory of 1296	1440	Pmagdbci.exe	42
PID 1440 wrote to memory of 1296	1440	Pmagdbci.exe	42
PID 1440 wrote to memory of 1296	1440	Pmagdbci.exe	42
PID 1296 wrote to memory of 2556	1296	Pbnoliap.exe	43
PID 1296 wrote to memory of 2556	1296	Pbnoliap.exe	43
PID 1296 wrote to memory of 2556	1296	Pbnoliap.exe	43
PID 1296 wrote to memory of 2556	1296	Pbnoliap.exe	43
PID 2556 wrote to memory of 2212	2556	Pihgic32.exe	44
PID 2556 wrote to memory of 2212	2556	Pihgic32.exe	44
PID 2556 wrote to memory of 2212	2556	Pihgic32.exe	44
PID 2556 wrote to memory of 2212	2556	Pihgic32.exe	44
PID 2212 wrote to memory of 2216	2212	Poapfn32.exe	45
PID 2212 wrote to memory of 2216	2212	Poapfn32.exe	45
PID 2212 wrote to memory of 2216	2212	Poapfn32.exe	45
PID 2212 wrote to memory of 2216	2212	Poapfn32.exe	45

C:\Users\Admin\AppData\Local\Temp\a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe
"C:\Users\Admin\AppData\Local\Temp\a32109d408566dfca878225f43ad3689b44c83cc54607a1dc726a4b54b10bacd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Ohhkjp32.exe
  C:\Windows\system32\Ohhkjp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Okfgfl32.exe
    C:\Windows\system32\Okfgfl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Oqcpob32.exe
      C:\Windows\system32\Oqcpob32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 140
        54⤵
        Program crash
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
160KB

MD5
0f5c619ee5313ca1fed4a336580b68b4

SHA1
90fd690ca61b6ed5e1b1841f1e40e910a71dfd83

SHA256
5698d7efa770e9be953dad4431bc2420ba5de733f42dc018d67c72ee1bb62ae2

SHA512
e7a08a72efc296190f28302fb0c11f437337f644b7c60bdf52b6f64ac4cc0d64ea4d345112074d65861408ab8fc0dfead15e139017f2f0b662ce2bab7e9e22f4

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
160KB

MD5
cf12cca4414d08ffad127b7ce094e435

SHA1
f1b00dbbfdba4b98a64e61991475c68616b5f844

SHA256
e22dc1750b0253c7ef0f1d9c6b727e2f1057212d8e32d76f859a37ddc383f944

SHA512
3bce949e78f7bfcafb23ca5f6afbf4beab05be1ae209f7ad3cd958483e995129c7f98a8d5a1a8f1cde33af6c07efb03f3ffd94a45f955f841f0828d2c5b518c4

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
160KB

MD5
44f42b7e165d42b02b371851171a83a5

SHA1
201ceb935322c8a11b4c4616dbbb1e07075d632a

SHA256
87520464ac2e667002e7113206030da221681bc4dc47fac9100a0008763aa1d6

SHA512
d321a38afad9d2d64ff4b6249661a179d545bfa9d7fb51d72f76a57142e1a4d4dc2ba93efea65ef4d32cacc006ebfda6432d301a659c488b4c876ee3d8abadf1

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
160KB

MD5
6997750c087d093db437bd48504f9bf5

SHA1
9c089e15ceed3ecb93ac6e5ccf74ad674f2b11ef

SHA256
dcb78b028bcb018bef6ffb8e942c272d9ba9034848872a12354f8a55c1502007

SHA512
0dec349e94eed77ff7835f7438ace929918e5a694a0832f32866aafab65d12947debacb2ea36ee3f33da7d46847d5a9b1c89ff36b827b986fee4f12001e88795

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
160KB

MD5
3be35550ca5b002d707e406ce0616622

SHA1
bf4fac05ba66f6736bf5a2212a649ee62085e492

SHA256
2613686b8efd596d3335c06b3a9354155f1f87c3761e3e18edd52e9ace2f9e11

SHA512
e2f9b33c5838f123cb57a549ab39a61a7ad29bbe9fa5615fb8d8832e68f9e60234fa441bec73659ce9f61d9aac3e940bb174c53ad8ad9f9baee551e921921d3e

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
160KB

MD5
aaf704dca7062f523305fd8355ae1a81

SHA1
d0b54589d1b485b9548b8afa862d85a9c2a7a788

SHA256
56f14de75713da5bf87569547a986ba5c3a6be210d4660e1538c24f0f523f420

SHA512
ebe407d4fff8e51e4e14207d7ffedf2101d3cb351b4b94a27640b7d2510f6d5c3fa83d25cb93faba62d373a5ecad9a9b689f1a5dbfdbdb466ac7b2c0af8e722b

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
160KB

MD5
2a8667ce026e26f5230f75c2eb466937

SHA1
38ec18ce96b5a6a70fbdaf0fd36d483673330ae7

SHA256
d9418192201be92395b7684778ce71547308eb592ec2ef3d0332b7d12aa06471

SHA512
e17544e9afc5ff1766b597242bc7ae585db3d5cb3b8697c8dc4c78bcf243ac0a7d40e306083bf351bd55ee5e87a93120508e95e55b9341a11454f7afc04396d4

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
160KB

MD5
82b94ac2aa65d198278ec86f141014ed

SHA1
422464c3e7e0cf4de76365f7562a1c52d2065c89

SHA256
ad2286c31e339b3ab9a9f27ba685ea292070aa2aa76d56d331f522af5ea7d012

SHA512
3d4b3426f4d8790c87e1062813e817fd0476844f346ad597a80e7f45c547a31b083b78fa17bace056d7a93248e5537607ec104cd42b243eda6f297d77dbc087b

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
160KB

MD5
128b49c7dba1638b977f7cb06161f392

SHA1
3a610c471d71bb8eded43aaed64158cd0f8ddba2

SHA256
7784af98e14a9f4d6ea3bebf60dc5662e97becebbce94c7c0a1397360024d5c3

SHA512
f850b40f12ced3e3cbb835a449906d7622f53d7767453210060c19402a02b264874baff659e837455c530277fc81d86de46bbcb38c67497e38ab9a156fa751a8

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
160KB

MD5
11476ab818139ee1fbe102fe7f598cd6

SHA1
0e21e2fe5b12b659e912a77c613582c4d6c29774

SHA256
ecd752e42b69c480cb91942c5d5e31b0f71e81a6db620d423e387586b6c235a2

SHA512
ff1dd96aaa074132f12ffbf63f823a994c2c04b90da5712f3ea0d83604b5c5c20e34ea6b06edd8ec9fd375b1e3fa11eddab98ff3f66ac1994319c06d617643aa

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
160KB

MD5
0377a8651ad05800d0fa9ed0e04b9206

SHA1
9e4a10fb23dc0ac9106b0bb759b4caadf3457297

SHA256
c8e69f206cd868d3dc5ce0b6e036133af6d01406ca42c8bcbd3503b723ac0a7d

SHA512
23335514c9c7c1697b940cfbfe6ce08c9f46dd71969dbf9fb073c9d91caa8de526898816cd560a05b3e41dd78748777529929f2607b58651d831bd5ca1c520a2

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
160KB

MD5
fdaa691a7ed156e513b4404a4b41ad56

SHA1
8d2d74e3f28d79769ee8d8bc0cbc0e1aa3806354

SHA256
44e71e0865b544c28a7e7a3b6bad76593a689891e73226edaa95b24e5283da72

SHA512
21c3e5f32bd8f0b9e6a98105d77b84096d7623acc45621f3aeeb20a198781cae7c18ac856333f6319c062ec4ab8652e5864fbbf667dc48fe4fa6528058d8eb72

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
160KB

MD5
af94f3dfa20de317656e80910d94d8cd

SHA1
e74b535ab2da8b5c25c8b810e3723c69e8864823

SHA256
391da6e07b79f11e8918d081e61271202441d4478711c8b3d8e50880227b1afa

SHA512
11c3290421904974e761ab06ca158b40cc2dbebbd6a1028996bb3ad8ae57154cb48161019c8678386e0469cf8e0d11e1ba1dca32f04a58e1780c7a6de7ef4324

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
160KB

MD5
da56acb4980b82ef704bd21623af0c73

SHA1
18f556762b98aa5accaef9c9fba15e11e81fa8a2

SHA256
ef9351c6620832d56f4b0d31cc238bcf414580efbfc73313d6e342d1667ceee7

SHA512
3caadc4d60922f86550186adad6aca72e51ea639077efc96d4823daae44a6777a88e3f13cd40951a2d61e805e497e89f36013d486916c1ce810554b9fd7509df

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
160KB

MD5
b272b2f6caab42519202f29fcad47d34

SHA1
637cb82eb4331eacb3975525d9237aae71ad761a

SHA256
f0de2e4ccd0c26faa919658ad34e5c88c026413ccd0d319f170f1eaae2e7a4cd

SHA512
794d38749338b352b78b76a8729b366e02329365b3821704f6ed98c5901053c3aaecb57f21f24de4829555e6cf04b52f035d05f3d9106b399f86f47d4699b301

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
160KB

MD5
848c887d30fbd588fa0c202287b58997

SHA1
4e245bbc8228c5e6c8724c788d0a3f01aabb88d9

SHA256
320473033450f8711404fb4a3336e414f6abe9b5fd86ab6afa25ebc73281f735

SHA512
2fa985ac4670c6af85e135cd44895049db61f729cc9ae22decbf6053f6629ebc620b071f5a3a5090f0981e974e3f64a6f271834597486880fba3f4eb5a06e0d8

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
160KB

MD5
2a8dc0b96525492e9424d5faa6c7f3b2

SHA1
a973ad2684917829f6d4f9bad91f8061cf9ebcfa

SHA256
c942758ba8818c6e3e4bda265e49dadd6f266a8c0973452f99d865774b8725a1

SHA512
f08b1553d670b62d6208d43e8dfd1201a0ed4021dba573cadf9c261058ae8038d23d7ecbc43fee1ebedd3562fb2070ef0f5c61a1d9e845d989b3875f41954cc7

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
160KB

MD5
c17fa285f6892bff004f32714a7f716d

SHA1
0447b3ec0b6c900ccc49194baacc932a4c31d728

SHA256
a2151cd77513fa57597108e9273531c829ebc4fc223faadeb13019d95ea078fd

SHA512
86dd797617a4801eabe02d5f248a789aea8bd43544c499265ba3417e2c0f67e465dc31e94ea182eaca34f5af24ecb466821027d18e76383d964486e03a9e2c5b

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
160KB

MD5
1c275f29c4e64e17273bc2ed404ea352

SHA1
5178350b1ba3db9434904bea4f0bdcd5a4d4127a

SHA256
5bd7b7b21918fa06311aa2ad8e28c2db24ca4d8bc9f4c9f6e8403d8b73a7d695

SHA512
ab13d105b1a9ab5eaa24c2b29513c8a7ba411de23dfe7066eb94c8ee7f878a6c723d84beb35bb75a1a60b342c65aa027c62bd9e0c8b8a881e0c8097be7e7edee

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
160KB

MD5
22d4a1f9b7a9f4ff5508356477ea34bf

SHA1
162dc15fe046ea2ef7322587deb6fe70c7b8a7d2

SHA256
02eb25740025975d480dd2d518a971e4dc8982c671312e8163361efc30d50445

SHA512
2041711d4bd0b3108f57f660d2b08f28fbda68c380890f4cef7442d497844f6fd9218c1cc1a5db6b54962f29e1eb902ce984eec8f1eff9cdd8c8ccbdcd89a2fa

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
160KB

MD5
79392598c1a29ee1c2411ce940e1e9fe

SHA1
3e43ff52ed7275d6d3bc89b8bd2c3f084108953e

SHA256
0d4d6814d58e07493c6e39db26b5459f6417451291fa9ea8cbc3e00b6d3aab57

SHA512
aa0eaa3e9dea44309e8c3fc24e4608642545e9dd0614e89ef7430cafa886a98a9a4d615324b2c9958229473b6a0dbe50303a296252d961fb13903def0bb4332a

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
160KB

MD5
99a580ddb6b5fcb9fd07a04266bcf9d4

SHA1
4c62a7619401cc9b0ba7cbd4c9d2b5ee1e8d0baa

SHA256
d9fdd92b16ba8117f5cef2068d35bebc3b614bd1467a4d95df5e530b410b2599

SHA512
acddcb8e10f8cd74409818dd2e7cd4f38c41d8cfd5ead512e1b000298cc8015074fa9c49a0aa52507099e67e1013089d1eb76c40e6c17e0789011082f0ed5ddd

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
160KB

MD5
5f82f7535f743c24d1f7493fcf693f98

SHA1
0402a058e7b2d6c86dc610dfe5886015f984c46a

SHA256
5cf78345c0c4aed1c951be81f44cb60b622158ef7cd05e1a9fc04f60cfb3df84

SHA512
2eebec5e57f725da6bb8c9363ced6a6c805041f4a17553e468f2400d013ad0e0905d4e8b2025543a53f708e8b157065b152011570fbd85b331bf2514f133e5ae

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
160KB

MD5
5c79a2c2dfb1a1725cc56dc4dd58dc9b

SHA1
77be5ac15f50096778ed8625811b12ed6aaafe4a

SHA256
7250249bb3a88c2104136144ab23d6e3cdef6ca3ac72e2c3ee210a0cb5f20753

SHA512
c7800eacd007b97d8959a38fee66dd27f3c7bab05cc6ceac06f81796e31a06c0bf756b3b6dfd8f2b6f04d93b6e31ae5194f114e5a022ae6bb0d3609a36f75268

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
160KB

MD5
4d3780f970f9b687eaab2bcb038fd046

SHA1
d1c01394989b23738471853176a082592f318a63

SHA256
c70ff281654602e5d8b1f187b4222bd61ffe0ccc53be142e30ce12b9b62500c1

SHA512
79c558c453960102e56e219bd02b92d277fd8baddab9dc5b02bbbd7369358de50c4989af6b04562c28a0a820516651cd62650382083a9e4fc4e8a566da97b9f6

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
160KB

MD5
e764e5d082c2b03b8ae04f3144a78b0a

SHA1
d007933510084bfd1d0b1d2656bf208735e86a55

SHA256
63f42ae3dcc5f9a7f440875adfd87997ff8f90bff204c8b5cf1d312dc420e04b

SHA512
f8cae8d62a033a28f9ff83457e433b031deb351e964b298c33f17439976b53e5c54140d9a3d50fa20e5a47e44177ce884a3c6d258183ce951eefd74fc1cf2acf

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
160KB

MD5
6bf73e29a46040d929faa01c5df61d0f

SHA1
cdd9b623b798ba5990036755eb96fcdfce12a8f6

SHA256
982ccb5185b540b68c877f4aea38b3d1739ce6799b0da2ab5a03df68c0ecbb27

SHA512
b850de10781f292977074d38ce3c76b0b00933f52558ac26bf6f0b6048ad286a6fc1aa8d4fe331a4385bca107af25b5e7d4bf51d6d10b739e838cd045b78efda

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
160KB

MD5
5358f55d6bb5e4654698a05d95df4e77

SHA1
6667d8ab9d9cea87241a669ca755d83e235adad6

SHA256
bf49e0d399e52cc3bfa3857874a68c3332411165d0f5139bb84e9e98160c8cda

SHA512
d8227771ebf49c96851f8416f1eb548a1070a0f4f80bddef504e01fe4fa1fb70b24d340e0ffc04ea6c84cb9f75b0cd676db593ec7c9e7d9e5c1af7dd34de44d1

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
160KB

MD5
826b851af7943b425a5b731e2b5cc46e

SHA1
90076c785382113693f3906b7d2d72a6882aa966

SHA256
43c07277ca56e30f44e0e74e487571419b8ac7379e15c6470879fe5d3fb0df7f

SHA512
b759735f3e41eb16b4324786ca6775c62f23b2b0ae1924721f97c2cee3935ebec03d70fb49ae366daa45d632e5c11319c9133cebe5241113ee3780f35aa9abd5

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
160KB

MD5
b77f138987e1f0b127348d29d7f5de06

SHA1
62923898139363dcfffc9f7aafce9efcd42aa0e7

SHA256
feea2920aa1c254ae13e3338dada601fcafb0313cee0d26a171454a0e29091d2

SHA512
6ae4c716110a3193d6bf6de6bda82b32fed3e95ac63b07b5fce58e3d2cac877f25aa98d69b303ac60d70de46002c7e9b1104403fc5066250236297c0053bc328

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
160KB

MD5
53737df9b5e0e97eb51dfba36bd1c609

SHA1
359a0f552da5bca6caaa8c1ea0287ac242962d18

SHA256
183d927c1ad3adc020705f7e3f71ade78338eda3e8cdc2053c468be0a5943ad3

SHA512
0af1ae4fa3228a0da1a3fa9a439115f0d36d9566a3d84c07abea1b64d654e2ecc7cad47f30a5ff06b0876714c072a22b6f5680908806d0267835b23362369e9d

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
160KB

MD5
3d9c424cb4fd38d81040b47ced510469

SHA1
ba6956898c74b8afe33e41c68bde021527455b9e

SHA256
010c25e370570c55c0b152cba9a4803055af6081ee01cc2d250a98521777b3e2

SHA512
69a5e106545d27f8efdaae6130a21034ced2cee35d02a88e2393861eb9f6c8e1b6c520437f5bb2567db04901e17e7e9f1caf6ac6b2183c05a2534ce7140574c3

Download Submit
C:\Windows\SysWOW64\Picnndmb.exe

Filesize
160KB

MD5
a6574602851410e6874efeba1552b159

SHA1
542eed3dce6e65575fa5b177c99af5dd870559cf

SHA256
35c1bcff6d073cab1e0e765dc30fd9ed363e22c05731c63b02dc530e8d61e0ab

SHA512
0b8fa0dc08eac92e9eed9d5a91e62b6dd7bc7fa4d64c2a44b9912c9ec99892dacbe34a00d44905e9e34708e9b9719b2461fae8f08848b699adf4fc33e0511804

Download Submit
C:\Windows\SysWOW64\Plfmnipm.dll

Filesize
7KB

MD5
0add6f411ccd8a2a76c4f635d39b43b6

SHA1
1165f9239bb55c420087b2d22d5ea9ec1e8a52d2

SHA256
94f388f3fafb511226de0dfc5d55c59ea33be13168f7e4e0a81e775fd703fa65

SHA512
24ae732407ecb04da64107ea26e5c0120566582d0b9a5f0cb89351b438d9b8565222be3c8374fad800034e9fbcac5371bb7772ddc6e199f3ea3909e3819d1c60

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
160KB

MD5
6551c33cb4409bb10745a572e62d929d

SHA1
3cdba5d26b3812c14c1c1971e03da7ec7e6e082c

SHA256
f721d0b71ce9439e2f93d4af6c3be6ee2187c98c84a17e07a84499fb9b27fc56

SHA512
cf013ca12ec2943b19a5cea78e5ac6911908bb001f20e0a5e3fcae2de960acef531fa9a9fcf9e949811656a3ae072accf11c5be282aa82224723bdb7f6769367

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
160KB

MD5
4e18293a0ccc9e283b09050df5768d0e

SHA1
7b5b18e3c582035f930e2181c4c23a7ddbd8c06c

SHA256
33c5cfd323845ff8955ead7492e09988fa43b7ad8de3b98a7bfceb52bada73d7

SHA512
eee16f40db889af35a1a9b0b8f319f83309a2b5751630797f73610b45588bc8c48df055fd00a363ccabdb0d0f769a1434d9cce7f4561a15a831dda2ba754cee5

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
160KB

MD5
acb2d5e25d60fff88e040735f996d87a

SHA1
aeaf3ada2998bf23432d267c07656ca95c73dd72

SHA256
aa63850503d84113e4b8a19e0d76e4985d74f5227027915f16cf84a700a0ebc9

SHA512
648a3f60554ff8c56adb3e1007598ae8d386e09678eeab07cc198971ada459d7fc41d7efb176781da8dd343618618e394162ffa5b9062b309a5ab9fd34e13e46

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
160KB

MD5
4cf70dc309feb5db9564811728c580b5

SHA1
64db9c28cc729bd987cc66321cc86dff0bc80b8c

SHA256
837f8adfa2b21175bc993b93813808e0373118d9f0b403e9b718fa170fd5bc66

SHA512
c8757ffcaa7bb39270b304aa04db470e4d7a630da90a6b6272ab4825e0f1cbe476b92e71ee9ba1d209d9d387acdd6642bd598a099c8fa5453fe93aa8f0785f1c

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
160KB

MD5
bb058221f4865f26d4c0608ecd7aaba7

SHA1
2051064ad9c73958a28630244f98d092bf9d26bd

SHA256
024c76ec5e3933f8da4f48ba331299007bfb804652f749232f53a479c5b62478

SHA512
f8016ccbcb077993e676d9a626841dc1cc9a4f21c85d2b69567f7742e4cb8f711fc43a52c8021b6c6fdac97fbc544eddcab99702a6ff1f113e57e5d1cea7e942

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
160KB

MD5
9456a800dcfc49852a261aa22f2748a4

SHA1
728d4cb6852705209c20b9616524485d44ccbb79

SHA256
4394ac0a54aac1e9633315576be54901437d5db413452257311d21cdf0d7c0c3

SHA512
58413786420b0b1f5148475e2c5e0ce5d47d39a998772ead71c9ed973f132616a61dfd2e9d926e821608c7438a831f64be8e3e4144b1d7f8ec7884e279b8c463

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
160KB

MD5
d0fe655c968cd2d7772e2697655a1041

SHA1
f14d1b690a149690b47deba4c84d4174fd5f3917

SHA256
69dfe1273153dc1882300c713bda75fbb11c8c78dd670fa0e3ac44608aa3b9b5

SHA512
ec814ed9a6f6b7a2b1bd96ad3e624263c725f737a2a732578a0c17cc1b15e781f943f0f5051b91130cc0efff9c6eeacb5431e78a47083f728aee68b49069f6ed

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
160KB

MD5
5123cde8bc7274ac152e25c2c2c60583

SHA1
537430f396eec80c4b6e9d19563b5c2d73a47c3e

SHA256
2c1ddb592e1a17d34eb9ce5f920baca31da993751a296ef871976107baf3e837

SHA512
114cfb98a568d062d58d82ff63206a0d667cab2b3ae8dbe80101ba5b1eea3437d44ad46ee0dca7566447494ced2f93a9dcce0410e7e7f91db8e15ae92aaffb82

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
160KB

MD5
96ff1e0642e5619277555af6c110235d

SHA1
f0893f5b4aaeccf86000137e2267f2b6c54e08e2

SHA256
3f19360b1187474c44aa9eb4825785143746bf822cf75ceec60d09adb12add18

SHA512
ca68647c8eb97580ec9e13a3a6620dc54762ef25ba22b38193e2ca8bbb058db073e8ba30a7a23e5300c7ca21ea7ce58ca7453a07d5d6571a84a322c365a885e7

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
160KB

MD5
b4e176378be5daf79a8bf8f16ee1fd6c

SHA1
31e727dcceb8050828c55e3fb522686e18daf18f

SHA256
ee2b753d5e7d6e89c0cb0fa9aaadef98fb70fbafd47da8903c3e725a132718ce

SHA512
352d99f21a979dcc654f90d3afb9378c4007c7f7db0b5742150a98d37b62c6985bb4865227897e3a4c318763f08abb077af23a22a7a0f11a910efde70614f65c

Download Submit
\Windows\SysWOW64\Pdaheq32.exe

Filesize
160KB

MD5
6c4e85b7a80f17d67c646a503b004d97

SHA1
f39ea30f0f82d689d3c33e1c24fa608835ea3780

SHA256
6ad4500be07c089e30f9e9437fcfc515886da04f05863dfdbdfac8eb4a3cb2c6

SHA512
44138c08970ea7f76858573b846143f87250d2b8581178018c7a248333d214064892cd625411420e0f251f0d7f1a29b36eb17784c3c853e0a0037461d3278bcc

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
160KB

MD5
f6c37065ea13ad774f1007ae66b0bb41

SHA1
df81f4da065896c689192efa846721d867168a0b

SHA256
7af0447b02904317e3995db57f297b8f8bccbd8b1d4624a86c4f39451b241a60

SHA512
fb169d0d57154f2c0ecf7d8db2dd7d5233f999cdf6480b2bf890d76ba45090fa8060bed00dd029bae9ca314ab30ab862d2faad5e19eb4433a37a92e9d7e9e00f

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
160KB

MD5
f35e9e59d2e710e935c762f2138269a6

SHA1
a6af30bba8e35b17fb545bddf16103afe3fbdafd

SHA256
4760b0a8dc925f68af6399629245231fa6b45e26b1f0c6c7e44489aa3ee4ce1d

SHA512
b85f6ac3c4ab1d6f0868fb270bec5f68eb02a076e228f2ee67dbafe806e4e5fdc188e5222ff9565a548fa425ec00e140b862d14d4e4034b093bd4b2b5ffa7b29

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
160KB

MD5
456ba3649de4cc94563f4def8f9f1faf

SHA1
bbc5409beb39d95b3e667890080e68bf47373c6a

SHA256
07fb3b12e5f2076329ae4741b35612b4f337166dd020977a8dc05853a83316e6

SHA512
86d33fb5d31f0713228745ece0fca775f8c5cf26e5ab90ae11b132746b6283c05cb2b25bc93d09e997285d9e56f851cec1ff08417812b690dc1604ce8b9e7147

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
160KB

MD5
7ec895652679b48c60e7a4f16a24c2ba

SHA1
8ed12e26d9a879faefc78b134435f29e7c4a3404

SHA256
ff2ef9e183045bc820935a35b1a2a1e5869c9bfdacab3e4b4ccf1c7c9c89d781

SHA512
06cb30076bc2b3294a39531b105fd9e99f0f5650ca8895f6540a1808d0f3dfc45dc748aed93d06e24ff9ff4b0d49b369a6e07e9c9750750bb88bf511b8e79d11

Download Submit
\Windows\SysWOW64\Poapfn32.exe

Filesize
160KB

MD5
186467678a928a34173669436cae99e3

SHA1
cc13a5cb7e069afc5cafc68afd8a825385295f5b

SHA256
6540619612b1382fd2427c919628997e2853f098375871773cead61ee32a7ba7

SHA512
aff250818c72e7c425f9b0f5362a8cc88fe957be12e723e79f50405d406a5b23303448d5be3932d889d728385054cdb138aa62aa79f97f772349ecbbde57469e

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
160KB

MD5
cc85fa39866579b66e8ebfa63dc2d8fa

SHA1
bcf814c5e408b05e95c84b315f979de544f5e8e0

SHA256
17295cf2929005149dcca1920600d5905b91725fad4216212e03fa30bd385b63

SHA512
5523e39600fb59e44e6c59a2de0e1f1f67f232e049cd150e75406b6c78e17fa6618b945d9d37a2dec2ea5de163b68f6ec04c7fab84de03df1b2f6248d76b1bff

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
160KB

MD5
fcdc38d3ebf32316af1ce9af6b69e456

SHA1
15796679969430c33c4f5a50a815167d5f4554bc

SHA256
8a324fce98688997fa4d6286ec3b4a8ef25f3d8f26036e17cb3b6d2ee2e75e93

SHA512
c44d855737a2c4abd45b2273a17a3070541dbaa800543c385ebcc830b7eb65529781c4670757ce76ebdc2a7e18eb34cf1939b42f1bce9f0f70dfa6f1d85a31ab

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
160KB

MD5
4a4cac1faa88702355a2cd65aafb734a

SHA1
8773fd0e842757ca1e492d68af5ab2974f24e6e4

SHA256
b1b31a24f0f227c972ed94269977c4164f1c2884994783965a7866e2859e3cc8

SHA512
16f1ba3eac15bf02d36611cd7531128495cd4529341e3082fd6b248abaf4aa9f6916711c54076a4bb4e4f7cd4b12deb629b8f9f4cdc1ca4cdc45a73fdac66e61

Download Submit
memory/552-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/596-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/596-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-246-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/704-247-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/704-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-254-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/868-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-258-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1092-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-323-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1092-322-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1228-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-385-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1296-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-501-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-511-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1324-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-264-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1392-268-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1440-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-235-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/1904-236-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/1956-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-62-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1992-290-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1992-289-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1992-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-439-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-108-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2088-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2132-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-226-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2256-355-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2256-354-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2328-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-345-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2328-340-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2348-161-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2348-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-480-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/2356-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-280-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2388-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-278-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2524-311-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2524-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-312-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2540-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-121-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2540-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-497-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/2556-197-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2556-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2624-336-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2624-337-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2624-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-301-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2672-297-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2672-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-408-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2792-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-12-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2848-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-17-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2868-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-148-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/2912-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-417-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2912-419-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2916-89-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2916-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2916-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3020-386-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/3020-34-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/3020-40-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/3020-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3020-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads