berbew | 17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Size

378KB
MD5

c8bfec35146b81731f0affb0d486918a
SHA1

2d4ec2a9396f315b2ec6538fb5e0f0262f980b1b
SHA256

17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149
SHA512

b3fe97024d61609a1b0e7f0d5f6977c4cab59890d80a3a934eb4321662d79f9ff311a14e0edab665cb89c4ec4043e400416e6621e4811eaff8baae24e0272f14
SSDEEP

6144:nRnv+FEdELeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQM1:Rn8LeYr75lTefkY660fIaDZkY660f2lO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acicla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboeco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hqkmplen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dboeco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efedga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhbpkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpggei32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmcefmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebckmaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkpglbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agihgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apmcefmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coicfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdkpiik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkpglbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coicfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpgfeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhpgfeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebckmaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhbpkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpggei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkebafoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cqaiph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gockgdeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efedga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agihgp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acicla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cqaiph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpdkpiik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkebafoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gockgdeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 26 IoCs

pid	Process
1560	Acicla32.exe
2364	Apmcefmf.exe
2824	Agihgp32.exe
1648	Bkpglbaj.exe
1716	Cqaiph32.exe
2288	Coicfd32.exe
1244	Dboeco32.exe
3000	Dhpgfeao.exe
2936	Efedga32.exe
2772	Ebckmaec.exe
516	Fhbpkh32.exe
2404	Fpdkpiik.exe
2340	Gpggei32.exe
1056	Gkebafoa.exe
1200	Gockgdeh.exe
1168	Hqkmplen.exe
288	Ibfmmb32.exe
2108	Jggoqimd.exe
1008	Jjhgbd32.exe
1532	Jnmiag32.exe
2540	Jibnop32.exe
1784	Jnofgg32.exe
2456	Kocpbfei.exe
1216	Kmimcbja.exe
1408	Kageia32.exe
2056	Lbjofi32.exe

Loads dropped DLL 56 IoCs

pid	Process
2332	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
2332	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
1560	Acicla32.exe
1560	Acicla32.exe
2364	Apmcefmf.exe
2364	Apmcefmf.exe
2824	Agihgp32.exe
2824	Agihgp32.exe
1648	Bkpglbaj.exe
1648	Bkpglbaj.exe
1716	Cqaiph32.exe
1716	Cqaiph32.exe
2288	Coicfd32.exe
2288	Coicfd32.exe
1244	Dboeco32.exe
1244	Dboeco32.exe
3000	Dhpgfeao.exe
3000	Dhpgfeao.exe
2936	Efedga32.exe
2936	Efedga32.exe
2772	Ebckmaec.exe
2772	Ebckmaec.exe
516	Fhbpkh32.exe
516	Fhbpkh32.exe
2404	Fpdkpiik.exe
2404	Fpdkpiik.exe
2340	Gpggei32.exe
2340	Gpggei32.exe
1056	Gkebafoa.exe
1056	Gkebafoa.exe
1200	Gockgdeh.exe
1200	Gockgdeh.exe
1168	Hqkmplen.exe
1168	Hqkmplen.exe
288	Ibfmmb32.exe
288	Ibfmmb32.exe
2108	Jggoqimd.exe
2108	Jggoqimd.exe
1008	Jjhgbd32.exe
1008	Jjhgbd32.exe
1532	Jnmiag32.exe
1532	Jnmiag32.exe
2540	Jibnop32.exe
2540	Jibnop32.exe
1784	Jnofgg32.exe
1784	Jnofgg32.exe
2456	Kocpbfei.exe
2456	Kocpbfei.exe
1216	Kmimcbja.exe
1216	Kmimcbja.exe
1408	Kageia32.exe
1408	Kageia32.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gockgdeh.exe	Gkebafoa.exe
File created	C:\Windows\SysWOW64\Jfmgba32.dll	Gockgdeh.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Cqaiph32.exe	Bkpglbaj.exe
File created	C:\Windows\SysWOW64\Dboeco32.exe	Coicfd32.exe
File created	C:\Windows\SysWOW64\Cbpjnb32.dll	Dboeco32.exe
File created	C:\Windows\SysWOW64\Fpdkpiik.exe	Fhbpkh32.exe
File created	C:\Windows\SysWOW64\Keclgbfi.dll	Fpdkpiik.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Acicla32.exe	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
File opened for modification	C:\Windows\SysWOW64\Agihgp32.exe	Apmcefmf.exe
File created	C:\Windows\SysWOW64\Coicfd32.exe	Cqaiph32.exe
File created	C:\Windows\SysWOW64\Dhpgfeao.exe	Dboeco32.exe
File created	C:\Windows\SysWOW64\Jggoqimd.exe	Ibfmmb32.exe
File created	C:\Windows\SysWOW64\Oecfeg32.dll	Apmcefmf.exe
File opened for modification	C:\Windows\SysWOW64\Fpdkpiik.exe	Fhbpkh32.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jibnop32.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Jalcdhla.dll	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
File created	C:\Windows\SysWOW64\Idhdck32.dll	Ebckmaec.exe
File created	C:\Windows\SysWOW64\Gkebafoa.exe	Gpggei32.exe
File opened for modification	C:\Windows\SysWOW64\Jggoqimd.exe	Ibfmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ebckmaec.exe	Efedga32.exe
File opened for modification	C:\Windows\SysWOW64\Gkebafoa.exe	Gpggei32.exe
File opened for modification	C:\Windows\SysWOW64\Hqkmplen.exe	Gockgdeh.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	Jggoqimd.exe
File opened for modification	C:\Windows\SysWOW64\Apmcefmf.exe	Acicla32.exe
File created	C:\Windows\SysWOW64\Gockgdeh.exe	Gkebafoa.exe
File created	C:\Windows\SysWOW64\Knfddo32.dll	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Cqaiph32.exe	Bkpglbaj.exe
File created	C:\Windows\SysWOW64\Ebckmaec.exe	Efedga32.exe
File created	C:\Windows\SysWOW64\Fhbpkh32.exe	Ebckmaec.exe
File created	C:\Windows\SysWOW64\Gpggei32.exe	Fpdkpiik.exe
File created	C:\Windows\SysWOW64\Hqkmplen.exe	Gockgdeh.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Apmcefmf.exe	Acicla32.exe
File created	C:\Windows\SysWOW64\Hjleia32.dll	Fhbpkh32.exe
File created	C:\Windows\SysWOW64\Ibfmmb32.exe	Hqkmplen.exe
File opened for modification	C:\Windows\SysWOW64\Bkpglbaj.exe	Agihgp32.exe
File created	C:\Windows\SysWOW64\Gnmbpf32.dll	Agihgp32.exe
File opened for modification	C:\Windows\SysWOW64\Coicfd32.exe	Cqaiph32.exe
File created	C:\Windows\SysWOW64\Hccadd32.dll	Cqaiph32.exe
File created	C:\Windows\SysWOW64\Efedga32.exe	Dhpgfeao.exe
File created	C:\Windows\SysWOW64\Jqgaapqd.dll	Acicla32.exe
File opened for modification	C:\Windows\SysWOW64\Dboeco32.exe	Coicfd32.exe
File opened for modification	C:\Windows\SysWOW64\Efedga32.exe	Dhpgfeao.exe
File opened for modification	C:\Windows\SysWOW64\Gpggei32.exe	Fpdkpiik.exe
File created	C:\Windows\SysWOW64\Jibnop32.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Pblmdj32.dll	Gpggei32.exe
File opened for modification	C:\Windows\SysWOW64\Ibfmmb32.exe	Hqkmplen.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jnmiag32.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Ahemgiea.dll	Efedga32.exe
File created	C:\Windows\SysWOW64\Joqgkdem.dll	Gkebafoa.exe
File created	C:\Windows\SysWOW64\Jnmiag32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jnmiag32.exe
File opened for modification	C:\Windows\SysWOW64\Jnofgg32.exe	Jibnop32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	2056	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkebafoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhbpkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpgfeao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmcefmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efedga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agihgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkpglbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cqaiph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpggei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gockgdeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acicla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpdkpiik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqkmplen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coicfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebckmaec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboeco32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agihgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmljjmf.dll"	Bkpglbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpdkpiik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgfah32.dll"	Dhpgfeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccadd32.dll"	Cqaiph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnjlmid.dll"	Coicfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpjnb32.dll"	Dboeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecfeg32.dll"	Apmcefmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agihgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dboeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cqaiph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhpgfeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efedga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keclgbfi.dll"	Fpdkpiik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joqgkdem.dll"	Gkebafoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkebafoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acicla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acicla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmbpf32.dll"	Agihgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebckmaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpggei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll"	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apmcefmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coicfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dboeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebckmaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caejbmia.dll"	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalcdhla.dll"	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpggei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkebafoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cqaiph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahemgiea.dll"	Efedga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll"	Gockgdeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqkmplen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqgaapqd.dll"	Acicla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efedga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjleia32.dll"	Fhbpkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblmdj32.dll"	Gpggei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apmcefmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkpglbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhbpkh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1560	2332	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe	31
PID 2332 wrote to memory of 1560	2332	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe	31
PID 2332 wrote to memory of 1560	2332	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe	31
PID 2332 wrote to memory of 1560	2332	17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe	31
PID 1560 wrote to memory of 2364	1560	Acicla32.exe	32
PID 1560 wrote to memory of 2364	1560	Acicla32.exe	32
PID 1560 wrote to memory of 2364	1560	Acicla32.exe	32
PID 1560 wrote to memory of 2364	1560	Acicla32.exe	32
PID 2364 wrote to memory of 2824	2364	Apmcefmf.exe	33
PID 2364 wrote to memory of 2824	2364	Apmcefmf.exe	33
PID 2364 wrote to memory of 2824	2364	Apmcefmf.exe	33
PID 2364 wrote to memory of 2824	2364	Apmcefmf.exe	33
PID 2824 wrote to memory of 1648	2824	Agihgp32.exe	34
PID 2824 wrote to memory of 1648	2824	Agihgp32.exe	34
PID 2824 wrote to memory of 1648	2824	Agihgp32.exe	34
PID 2824 wrote to memory of 1648	2824	Agihgp32.exe	34
PID 1648 wrote to memory of 1716	1648	Bkpglbaj.exe	35
PID 1648 wrote to memory of 1716	1648	Bkpglbaj.exe	35
PID 1648 wrote to memory of 1716	1648	Bkpglbaj.exe	35
PID 1648 wrote to memory of 1716	1648	Bkpglbaj.exe	35
PID 1716 wrote to memory of 2288	1716	Cqaiph32.exe	36
PID 1716 wrote to memory of 2288	1716	Cqaiph32.exe	36
PID 1716 wrote to memory of 2288	1716	Cqaiph32.exe	36
PID 1716 wrote to memory of 2288	1716	Cqaiph32.exe	36
PID 2288 wrote to memory of 1244	2288	Coicfd32.exe	37
PID 2288 wrote to memory of 1244	2288	Coicfd32.exe	37
PID 2288 wrote to memory of 1244	2288	Coicfd32.exe	37
PID 2288 wrote to memory of 1244	2288	Coicfd32.exe	37
PID 1244 wrote to memory of 3000	1244	Dboeco32.exe	38
PID 1244 wrote to memory of 3000	1244	Dboeco32.exe	38
PID 1244 wrote to memory of 3000	1244	Dboeco32.exe	38
PID 1244 wrote to memory of 3000	1244	Dboeco32.exe	38
PID 3000 wrote to memory of 2936	3000	Dhpgfeao.exe	39
PID 3000 wrote to memory of 2936	3000	Dhpgfeao.exe	39
PID 3000 wrote to memory of 2936	3000	Dhpgfeao.exe	39
PID 3000 wrote to memory of 2936	3000	Dhpgfeao.exe	39
PID 2936 wrote to memory of 2772	2936	Efedga32.exe	40
PID 2936 wrote to memory of 2772	2936	Efedga32.exe	40
PID 2936 wrote to memory of 2772	2936	Efedga32.exe	40
PID 2936 wrote to memory of 2772	2936	Efedga32.exe	40
PID 2772 wrote to memory of 516	2772	Ebckmaec.exe	41
PID 2772 wrote to memory of 516	2772	Ebckmaec.exe	41
PID 2772 wrote to memory of 516	2772	Ebckmaec.exe	41
PID 2772 wrote to memory of 516	2772	Ebckmaec.exe	41
PID 516 wrote to memory of 2404	516	Fhbpkh32.exe	42
PID 516 wrote to memory of 2404	516	Fhbpkh32.exe	42
PID 516 wrote to memory of 2404	516	Fhbpkh32.exe	42
PID 516 wrote to memory of 2404	516	Fhbpkh32.exe	42
PID 2404 wrote to memory of 2340	2404	Fpdkpiik.exe	43
PID 2404 wrote to memory of 2340	2404	Fpdkpiik.exe	43
PID 2404 wrote to memory of 2340	2404	Fpdkpiik.exe	43
PID 2404 wrote to memory of 2340	2404	Fpdkpiik.exe	43
PID 2340 wrote to memory of 1056	2340	Gpggei32.exe	44
PID 2340 wrote to memory of 1056	2340	Gpggei32.exe	44
PID 2340 wrote to memory of 1056	2340	Gpggei32.exe	44
PID 2340 wrote to memory of 1056	2340	Gpggei32.exe	44
PID 1056 wrote to memory of 1200	1056	Gkebafoa.exe	45
PID 1056 wrote to memory of 1200	1056	Gkebafoa.exe	45
PID 1056 wrote to memory of 1200	1056	Gkebafoa.exe	45
PID 1056 wrote to memory of 1200	1056	Gkebafoa.exe	45
PID 1200 wrote to memory of 1168	1200	Gockgdeh.exe	46
PID 1200 wrote to memory of 1168	1200	Gockgdeh.exe	46
PID 1200 wrote to memory of 1168	1200	Gockgdeh.exe	46
PID 1200 wrote to memory of 1168	1200	Gockgdeh.exe	46

C:\Users\Admin\AppData\Local\Temp\17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe
"C:\Users\Admin\AppData\Local\Temp\17738ba55b0980140cbabfe79350c0390a4fd0c5398575dd910fa0f721268149.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\Acicla32.exe
  C:\Windows\system32\Acicla32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\Apmcefmf.exe
    C:\Windows\system32\Apmcefmf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\Agihgp32.exe
      C:\Windows\system32\Agihgp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\Bkpglbaj.exe
        
        C:\Windows\system32\Bkpglbaj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\SysWOW64\Cqaiph32.exe
        
        C:\Windows\system32\Cqaiph32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Coicfd32.exe
        
        C:\Windows\system32\Coicfd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Dboeco32.exe
        
        C:\Windows\system32\Dboeco32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Dhpgfeao.exe
        
        C:\Windows\system32\Dhpgfeao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Efedga32.exe
        
        C:\Windows\system32\Efedga32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Ebckmaec.exe
        
        C:\Windows\system32\Ebckmaec.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Fhbpkh32.exe
        
        C:\Windows\system32\Fhbpkh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Fpdkpiik.exe
        
        C:\Windows\system32\Fpdkpiik.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Gpggei32.exe
        
        C:\Windows\system32\Gpggei32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Gkebafoa.exe
        
        C:\Windows\system32\Gkebafoa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Gockgdeh.exe
        
        C:\Windows\system32\Gockgdeh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Hqkmplen.exe
        
        C:\Windows\system32\Hqkmplen.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Ibfmmb32.exe
        
        C:\Windows\system32\Ibfmmb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agihgp32.exe

Filesize
378KB

MD5
60fadafa637895f6e646e8f83ac4095c

SHA1
e801df38e1937f7b095a0bd20d302408da8d509f

SHA256
2b6e1c688d7474513e110bc0c233ac6e3f2d42cbba64f945df6dd938c3edf3ed

SHA512
b5bcc1483b9758796dce06268d733de274376f9ddff0595778ff16c668c866cc4156a852b0f7f3260ef6a77d80af3c2aef4b421b11597d04ba132395e2a80db2

Download Submit
C:\Windows\SysWOW64\Gockgdeh.exe

Filesize
378KB

MD5
5ecd122ef08cd7a2f9d0493f573684ed

SHA1
a8f0713c6f8941f5f3ff020a00a451403d6b54b2

SHA256
a109160b403d37e317fc45de5a8e4b7762591f9060afc90d8d9b33af6d436628

SHA512
1bf90dbb4e0d37482e7b2f7525e92e4d8e2530979a1b0e70e38dec16b534dcae042d016c2e8ab12032c706a2d986a10806dac1961b2475da421fd5998994d243

Download Submit
C:\Windows\SysWOW64\Ibfmmb32.exe

Filesize
378KB

MD5
ba36e7998430a5f158b67b200db1c071

SHA1
c7f9b3b7f390de40f3e5d66f45c7174670ea0f4c

SHA256
4d8fcacb7334108b10b12df28f76ff3bbf01cace7bd901ad71d195bdc130eee0

SHA512
f6dd09f304b7668b84454b5c9b8106bb33a4f2376959f7035653b64074b8f9c5817879b94c4ae3c6d214fcaf135c1fc362871cea92418376d0f2bdd660706569

Download Submit
C:\Windows\SysWOW64\Jggoqimd.exe

Filesize
378KB

MD5
9b9b8af48642ce1dd15c5be65c3fd63d

SHA1
8a7beaaef5ceedd0d955afdf5c6a6f0e0ec33fb3

SHA256
eab78b5304fabf94eb2022e0ec288d63bf77ef4671a0a3af3cd3aedfc1269643

SHA512
59ab55fc793c0a0ba3ef6268df306703fc3a6e9c838fe80ded7af59eb95edde5c7884fbeb7f318ff7d57b3b367544095fd2cdc8486d39c7f97f2bd410ee76682

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
378KB

MD5
1cfd2ad88f618d53cd1f4d2bc054c3bd

SHA1
f309f5fdaeacee9adeff72d5f954ecad6b9c3b4d

SHA256
472602db1f033ffabec3bb89a28a77600eafe95d4c430a4631e7eb9a9bbf9719

SHA512
b87c460b377b0685083b90cd0b4a07241e3dd04f0f7737bb7328202917516f3739059b1a52e4fbc04686b2c4efdd09ce532046a2359725309fa93d0d3c4ac8fb

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
378KB

MD5
741c779e5ffac143ac011e32e8773090

SHA1
275d6bba5fbe29ffb18afa6739f307238bee3ff5

SHA256
f620ba9588508e025aac6a3396813d381703b87dbbaef9506a669f7f85fe5cc7

SHA512
d5a6a4448bbbac5812e7ebbed75d9412c864eff469ed444006d8e2b75ef6f0a66760dd1059839bf91455d2b702f84fd4990be21ae7ef38cff2a12e37ffdcfa9d

Download Submit
C:\Windows\SysWOW64\Jnmiag32.exe

Filesize
378KB

MD5
7b73afd19a8f0a6173538e81fa3d6c6f

SHA1
989971e9c76b05d6224271dd18560e37144a4b85

SHA256
edc38f46b8917942c93b914c82a152044799b8f08fedfded0d8b880c4e1bbf07

SHA512
00aa2199cd29083753eeebd14e2fe5ed0b93f04b6375c4071143ac326a232024cf844517d8d8e033f266fcd96b2489167dc278c0ca08ea8042e456e39068ec18

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
378KB

MD5
a1c0e9f58bf7c8c94d333d225c34d6f8

SHA1
1ec93fa4abd02715e7748b1c823a6abfe6ee7de5

SHA256
00eac5b5c3d7e62536518956e7ed2ba5b46d2ea73345c936c7f33c6b7459b362

SHA512
b46107d76ad255729aa8ce1bcdfcbc31d2abb76dd476496c1da322026e2706a947f1b40f9aed6e896efd1295638f2fda53d74021f7a0cf0e3a6119995579ea9c

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
378KB

MD5
b609ba69fff2201daef0d58beedcfc57

SHA1
3d55901fe1f2a022bef5cd23ffa442af06218dbe

SHA256
ba38752a28efc0de2e6c2e38ac8ec0847b197c54191c646c3e2e48bb6fff8821

SHA512
f375874ea74b09634af663f2e8a284aa7ec84abf06ef9aeec0b60b749402af98fd37de02349712e1f8ead25879bf4941fdcacf1f3459418fc62e29877ec06443

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
378KB

MD5
a69adaff7f826e2d5ba76d68b61834f9

SHA1
0130976af1272f010fcbbe01563b2379183b669f

SHA256
058f2a54397618124b24d1b1a174ff13ad711b8a570c573966881f79493e2e91

SHA512
8722b653e1f3cf9fe5f8291c918270da2eee20142b24f749524c48864cd0729c8e3046e373684b1e08f8f973b97094295d09cf19caae44e098a3a4e30ffb2bab

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
378KB

MD5
ef7e7d46d15aaa14a0bcf6ff084d8c66

SHA1
2d737b2c58acd29e8fd54a82508cce65a8e028c1

SHA256
d9c12de7ca1b9030448b160316f9502d9b2c2e301bb411eb70b573cb1d481786

SHA512
e3eb28a184445e9823e9fc48820dbfd2523c9985101797313c9e8a9db35dd99faa7ae5edb04007f3b4c4da6bea0b492b9c355ca0ef62edebf8605a764127ad56

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
378KB

MD5
19203105e042dd265b6f69becf7a049f

SHA1
7f800e2106682cf7001cfb41c61779e0e72335b1

SHA256
de52d94d0e1e0c48c917790cd18a4627e3d3e3e740de1031af2e6018d451cb9d

SHA512
b0bd06a103ab38ebc13983dd84321689c25249564c1b89fc2fc5f4cbf2ac34c7de7a843044b306643549d1077864b95f97b000de7f0bca6dfd118633982ebeed

Download Submit
C:\Windows\SysWOW64\Ncmljjmf.dll

Filesize
7KB

MD5
f215e8b417b9f73f4fe47ba3b9504dff

SHA1
da54ef725d77012119258099ade13f40ed703257

SHA256
534861d73ee794d9c60eafcf3e609cd32532e46dd130a7fff2ff366bfa9f2e44

SHA512
106aec76bb15a21c5dd3d886284a292d594345ceb7dcfe0792aefa3f347bd0642f196f73cdd93913bc6295211ea7eb99cb934d35218510e0d78825b897f08a64

Download Submit
\Windows\SysWOW64\Acicla32.exe

Filesize
378KB

MD5
39feea1e9310c648d539b61b8c83ef1e

SHA1
144e3c4be45a2e5b39dbbacd402b661f1eac0adb

SHA256
cf68fceba6956f0073f2e7a0c46ed881559b32ff26d038030045a7148cb31221

SHA512
bb40ee2910ca411fba1c5206289ef81161e2982503757b070d5ea6374c12f7bd2428f8c1c646fe68ae0bdad376e58d32debcf76aee92b5ac5825747ec3c2f927

Download Submit
\Windows\SysWOW64\Apmcefmf.exe

Filesize
378KB

MD5
6f990d189ec2aa98f6e3f8888fd5a965

SHA1
c3e6ce4bcd13d6e44fd4b5158356f7bdd0bc7f8e

SHA256
db1573586193b8ace400f9073c7935e31acd7f2b15de38a7828716fa30fcb725

SHA512
6a2d1e48cb34136ece736baa2a12f0eefb38fc3dee622f938ecd6a1305073ab282fdb7ace864f2a534f20e82c005448a9066e4b416473e819beace7dadb5bca7

Download Submit
\Windows\SysWOW64\Bkpglbaj.exe

Filesize
378KB

MD5
c8ce29e1fb4745eb4cbf6347b8573eea

SHA1
843f6f6baee997792908d3d47389d3819779f7f9

SHA256
6eb098ba43954aec1ac2604cb0ac54ea6855546746e5e1ad0ed14ca0cf6bd238

SHA512
d2cfbd689792d3985aa32adb9ef8ddb86006d15f8feb8810251c965189944961031480c494ec6281fb83595aebd5c11e416553882a8dcaae3f519ea940285f7f

Download Submit
\Windows\SysWOW64\Coicfd32.exe

Filesize
378KB

MD5
bc9f4d1f2d24414559ed86670f374fe9

SHA1
f9e5a22a7519c6dd80e6d7174f15235d6b1df346

SHA256
4bc3ec6394e4946a2b730638ad96c3126ed908106909dc2646a88120a4757ff4

SHA512
254b5a96b765d1cd29a59c4f88bbe6b93fe785d0d4a26fa08928324b1c2e827a537f102e884d0d3cbc19f129da79af30f065b5dd77147ca736e1703aa0cac615

Download Submit
\Windows\SysWOW64\Cqaiph32.exe

Filesize
378KB

MD5
cc18182ded1306262dd2e03085c2c0c9

SHA1
7f1b65069de6fc0e31ac26b49874f9afdb0388cf

SHA256
ab392fd2924a3bdf19b875a34f0879d2715066a8adabbb55ad3e21db0a4c72d5

SHA512
20c7ec3a4bf815c7eeba56c6048b54221ae95b47aa2bb82a6acb80c1749e7daf7ff57f9eca73a23e2330d063dfb988cf65cd123dc031d5dd43285797d329ccb5

Download Submit
\Windows\SysWOW64\Dboeco32.exe

Filesize
378KB

MD5
4dc4069270fc8acb51be355d1156b159

SHA1
88ed8d620fea1c4a6585641510343afb1da8fcd4

SHA256
9a15d4e1c2d0b0fd2a028418cedde68f079d5ea0a853a7f0a373b7e5d5267ddf

SHA512
5253d687e46533827fe55c58e6d1cb186ed7b8dbe284b93c3949afc2986d7ced00156c96d5d3e29e5ec5d6e9e50b870b1df1dec90fb1a68d1bbb1274cf9da4c2

Download Submit
\Windows\SysWOW64\Dhpgfeao.exe

Filesize
378KB

MD5
cca17e5a2e69ef84efd826ec1aaf1535

SHA1
130b833e02ec0442fc3931f5a82af270e09246de

SHA256
1d13cd03e3ca4b59b6ece7525483a6300242f74e9392b23070f42f7a8414ef18

SHA512
c315f6f55ad7d081109946832430c569e7badcf34c609662c11ad286988eaa88f5d834e693ad1a2e43bfb6e64479425d4cecb5941ba49131fe2c72bcf8503eba

Download Submit
\Windows\SysWOW64\Ebckmaec.exe

Filesize
378KB

MD5
1c19f80854fe7c7d067b2004a09278cc

SHA1
0e4daf6112460a2a69a50e91b7b81c882d3612cb

SHA256
cf4effc01efad651a8c9fed8cd30a2c8cecc8d5845d2faa482f698cd2b30942b

SHA512
dd8534bbdf06ce1db88d6e3f354ab8fa5999c71da085c7b9f5820b3cac435dc6eb01b9c4e273e87d46bff54bb4f7ff4163f3288aae0688504fdff13c798e7e56

Download Submit
\Windows\SysWOW64\Efedga32.exe

Filesize
378KB

MD5
d3568442ec21eac06aa6985ebed72f9d

SHA1
647901cb7758e94089295fd87982aaad655685f1

SHA256
9f1c41ebb770092dba5f62ffd41ec1e2fa3a617d1b8b76ced9d0910723106f13

SHA512
68ff3066a5e023d76af257a31c0a35edeacefba72b3c21cb43204fd8380c49136d7e0e32de64e45c20152dca2baa55677756b44dabf3ab1720f91e3bf72cc705

Download Submit
\Windows\SysWOW64\Fhbpkh32.exe

Filesize
378KB

MD5
63ac73ced34c69a916b974e6ed2d4222

SHA1
ba6257c62feb299ba8749643c576687b1e6944ef

SHA256
c94dc7903679ed113e9ef2c140e3a878176a1027d535e4685a8e8e626a454707

SHA512
d46b1345575b827bcc7848b69cc4afa4f53b32c52784a1e9484e5ba7d56920f6630c6f5dfa29f39b330325d121f63f5894fd82cc76c7d4dc27c54b3661a0ee28

Download Submit
\Windows\SysWOW64\Fpdkpiik.exe

Filesize
378KB

MD5
8bb361cd4ed77d0d298e917b1fdf0286

SHA1
6a8c68bd1c4ad2c1042f0cb1a2f5974a1e09c263

SHA256
35406e00147b33fa18fb29bbac8d80eac8e72d7eab1549774c8735763d80de3c

SHA512
05a9ac6b8c52df5813ec6a8538e5581d8edf9bd7e248ea2a9cc464262a7d491425bf7d90a10ed2bfa03a8d4189ea1c253159baf7eb65fa77623c9e599ec6bdc0

Download Submit
\Windows\SysWOW64\Gkebafoa.exe

Filesize
378KB

MD5
f43c54b76cba1ca6b87f26ff4144d880

SHA1
e33a3fcda73d3e8615bd9b4d74907335a5542b82

SHA256
74697544d8ed0ac2799f59a6df90bb6ec7b1954905cd67018128bf7b84202f27

SHA512
76867fc83ddf6620c48cddf9e239e6c1ea093e4901eb6aba7d4ca5ad7da7cdac8f7695729a1efd1225d72a10fa1e0a523b6d6272121493855d1a1585962e7290

Download Submit
\Windows\SysWOW64\Gpggei32.exe

Filesize
378KB

MD5
94f7966ceb582af31f2b70ffc36e3ae2

SHA1
e4aafb7caee48d911d99b89bb9261a94b8bbf527

SHA256
2a55a880d646cb2a3547fa5808f9fd5ff688fff14b7c285dbe630dab60b86214

SHA512
13616bd288071aacc6f0bc3db9975c8850d4420e5daa3178d89fc318eb48ee52910709ef6577930d08e0384edc7a396eab26d90a1063643edfc6a5a18c7f0172

Download Submit
\Windows\SysWOW64\Hqkmplen.exe

Filesize
378KB

MD5
7d717b613d550fec27e825b9b23b9de3

SHA1
c94817d9b2a4480604f31ad4cc2455085e9a27e4

SHA256
f2b15739775cf13f0d1f56d2b38d47cb91d32732ac4eeedb72d81b366ff7a366

SHA512
0aa71bf9843e5cf64a4538dae6b56258718742768fe68833b1e6125e2fc4ec660cf0981c84bbad7302d01faa0b9696bdcd441e0da01f80d1f7c41be4516b562b

Download Submit
memory/288-243-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/288-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/288-244-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/288-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/516-155-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/516-167-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/516-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1008-266-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1008-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1008-262-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1008-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-209-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1056-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1168-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-210-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-223-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1216-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1216-319-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1216-324-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1244-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1244-107-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/1244-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-330-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1408-331-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1532-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-276-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/1532-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1560-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1560-28-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1560-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1560-26-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1648-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-69-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1648-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-79-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1784-297-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1784-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-303-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1784-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-255-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2108-254-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2288-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-97-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2332-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-12-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2332-11-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2340-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-190-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/2340-182-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-42-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2404-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-309-0x0000000000490000-0x00000000004D3000-memory.dmp

Filesize
268KB

Download
memory/2456-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-308-0x0000000000490000-0x00000000004D3000-memory.dmp

Filesize
268KB

Download
memory/2540-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-287-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2540-286-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2540-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-149-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2772-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-51-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2824-43-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-139-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2936-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3000-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3000-125-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/3000-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads