berbew | 686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa

Analysis

max time kernel
95s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe
Size

73KB
MD5

78adba1c34bf8ca6d03acb7ed0b553ef
SHA1

4c47da77fac5c26212a90bd3772ccca25bd86dc0
SHA256

686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa
SHA512

949651cd099bac65f6720f9166d52d770ece713f786c58efe3a7f11938fc6d13650e34d5174622f205f599089f9f5cc3a75a591fde56066886206e2e1cc6e212
SSDEEP

1536:2aL5QefEVWhlp5pKvJjHHajdsRsS49vCRA1FMbA38JD:2GBE0hn5AdOiRsS49vCRaFWND

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppaclio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afappe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaiqcnhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfmolc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4752	Ojcpdg32.exe
888	Oqmhqapg.exe
428	Obnehj32.exe
2148	Omdieb32.exe
1068	Ocnabm32.exe
1300	Oflmnh32.exe
3360	Omfekbdh.exe
1516	Pcpnhl32.exe
5164	Pimfpc32.exe
2360	Ppgomnai.exe
2976	Pbekii32.exe
1588	Pjlcjf32.exe
5740	Pmkofa32.exe
4620	Pcegclgp.exe
3524	Pjoppf32.exe
2132	Pplhhm32.exe
4356	Pjaleemj.exe
5584	Pakdbp32.exe
3176	Pblajhje.exe
4068	Pjcikejg.exe
5952	Qppaclio.exe
2504	Qjffpe32.exe
960	Qmdblp32.exe
5672	Qcnjijoe.exe
1036	Qjhbfd32.exe
5716	Amfobp32.exe
5332	Apeknk32.exe
5256	Abcgjg32.exe
2256	Aimogakj.exe
5700	Apggckbf.exe
2932	Afappe32.exe
5152	Aiplmq32.exe
2588	Aagdnn32.exe
3180	Adepji32.exe
1964	Afcmfe32.exe
1524	Aibibp32.exe
1484	Aaiqcnhg.exe
2328	Adgmoigj.exe
392	Ajaelc32.exe
5712	Aalmimfd.exe
5080	Abmjqe32.exe
5596	Afhfaddk.exe
1248	Bmbnnn32.exe
64	Bpqjjjjl.exe
5288	Bfkbfd32.exe
5724	Biiobo32.exe
3696	Bapgdm32.exe
5996	Bdocph32.exe
5608	Bfmolc32.exe
3556	Bmggingc.exe
2456	Bpedeiff.exe
4200	Bbdpad32.exe
2252	Bphqji32.exe
3992	Bkmeha32.exe
3276	Bmladm32.exe
1096	Bdeiqgkj.exe
3720	Ckpamabg.exe
5104	Cpljehpo.exe
4684	Cienon32.exe
4244	Ccmcgcmp.exe
5280	Ckdkhq32.exe
1600	Cancekeo.exe
1156	Ccppmc32.exe
4816	Cgklmacf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Glofjfnn.dll	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Pjlcjf32.exe
File opened for modification	C:\Windows\SysWOW64\Qmdblp32.exe	Qjffpe32.exe
File created	C:\Windows\SysWOW64\Dohnnkjk.dll	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Aiplmq32.exe	Afappe32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnnn32.exe	Afhfaddk.exe
File opened for modification	C:\Windows\SysWOW64\Bfkbfd32.exe	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Podbibma.dll	Biiobo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmladm32.exe	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Oqmhqapg.exe
File opened for modification	C:\Windows\SysWOW64\Aibibp32.exe	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Aaiqcnhg.exe	Aibibp32.exe
File created	C:\Windows\SysWOW64\Paenokbf.dll	Aaiqcnhg.exe
File created	C:\Windows\SysWOW64\Khokadah.dll	Bphqji32.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Labnlj32.dll	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Omdieb32.exe	Obnehj32.exe
File created	C:\Windows\SysWOW64\Ppgomnai.exe	Pimfpc32.exe
File opened for modification	C:\Windows\SysWOW64\Apggckbf.exe	Aimogakj.exe
File opened for modification	C:\Windows\SysWOW64\Bapgdm32.exe	Biiobo32.exe
File opened for modification	C:\Windows\SysWOW64\Bpedeiff.exe	Bmggingc.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Gflonn32.dll	Obnehj32.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Omdieb32.exe
File created	C:\Windows\SysWOW64\Icbcjhfb.dll	Ocnabm32.exe
File opened for modification	C:\Windows\SysWOW64\Amfobp32.exe	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Aimogakj.exe	Abcgjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Ijgiemgc.dll	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Nepmal32.dll	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Pjcikejg.exe	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Adepji32.exe	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Aagdnn32.exe	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Afcmfe32.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Pnkibcle.dll	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Amfobp32.exe	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Inpoggcb.dll	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Aimogakj.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Dilcjbag.dll	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Ahhjomjk.dll	686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Ckpamabg.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Pmkofa32.exe	Pjlcjf32.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Pblajhje.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Aibibp32.exe	Afcmfe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5004	4024	WerFault.exe	162

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmidnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphqji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgomnai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbekii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adepji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojcpdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlcjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjffpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apggckbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmjqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcmfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgmoigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdocph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimfpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjhbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apeknk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhfaddk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afappe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcikejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcnjijoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimogakj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoppf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblajhje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppaclio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiplmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnabm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaiqcnhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalmimfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfobp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdieb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aibibp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmqkimh.dll"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biiobo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll"	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qppaclio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khihgadg.dll"	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgbbnj.dll"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcikejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphqji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll"	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafpga32.dll"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpoggcb.dll"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leldmdbk.dll"	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliapk32.dll"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icbcjhfb.dll"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4752	1212	686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe	86
PID 1212 wrote to memory of 4752	1212	686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe	86
PID 1212 wrote to memory of 4752	1212	686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe	86
PID 4752 wrote to memory of 888	4752	Ojcpdg32.exe	87
PID 4752 wrote to memory of 888	4752	Ojcpdg32.exe	87
PID 4752 wrote to memory of 888	4752	Ojcpdg32.exe	87
PID 888 wrote to memory of 428	888	Oqmhqapg.exe	88
PID 888 wrote to memory of 428	888	Oqmhqapg.exe	88
PID 888 wrote to memory of 428	888	Oqmhqapg.exe	88
PID 428 wrote to memory of 2148	428	Obnehj32.exe	89
PID 428 wrote to memory of 2148	428	Obnehj32.exe	89
PID 428 wrote to memory of 2148	428	Obnehj32.exe	89
PID 2148 wrote to memory of 1068	2148	Omdieb32.exe	90
PID 2148 wrote to memory of 1068	2148	Omdieb32.exe	90
PID 2148 wrote to memory of 1068	2148	Omdieb32.exe	90
PID 1068 wrote to memory of 1300	1068	Ocnabm32.exe	91
PID 1068 wrote to memory of 1300	1068	Ocnabm32.exe	91
PID 1068 wrote to memory of 1300	1068	Ocnabm32.exe	91
PID 1300 wrote to memory of 3360	1300	Oflmnh32.exe	92
PID 1300 wrote to memory of 3360	1300	Oflmnh32.exe	92
PID 1300 wrote to memory of 3360	1300	Oflmnh32.exe	92
PID 3360 wrote to memory of 1516	3360	Omfekbdh.exe	93
PID 3360 wrote to memory of 1516	3360	Omfekbdh.exe	93
PID 3360 wrote to memory of 1516	3360	Omfekbdh.exe	93
PID 1516 wrote to memory of 5164	1516	Pcpnhl32.exe	95
PID 1516 wrote to memory of 5164	1516	Pcpnhl32.exe	95
PID 1516 wrote to memory of 5164	1516	Pcpnhl32.exe	95
PID 5164 wrote to memory of 2360	5164	Pimfpc32.exe	96
PID 5164 wrote to memory of 2360	5164	Pimfpc32.exe	96
PID 5164 wrote to memory of 2360	5164	Pimfpc32.exe	96
PID 2360 wrote to memory of 2976	2360	Ppgomnai.exe	97
PID 2360 wrote to memory of 2976	2360	Ppgomnai.exe	97
PID 2360 wrote to memory of 2976	2360	Ppgomnai.exe	97
PID 2976 wrote to memory of 1588	2976	Pbekii32.exe	98
PID 2976 wrote to memory of 1588	2976	Pbekii32.exe	98
PID 2976 wrote to memory of 1588	2976	Pbekii32.exe	98
PID 1588 wrote to memory of 5740	1588	Pjlcjf32.exe	99
PID 1588 wrote to memory of 5740	1588	Pjlcjf32.exe	99
PID 1588 wrote to memory of 5740	1588	Pjlcjf32.exe	99
PID 5740 wrote to memory of 4620	5740	Pmkofa32.exe	100
PID 5740 wrote to memory of 4620	5740	Pmkofa32.exe	100
PID 5740 wrote to memory of 4620	5740	Pmkofa32.exe	100
PID 4620 wrote to memory of 3524	4620	Pcegclgp.exe	101
PID 4620 wrote to memory of 3524	4620	Pcegclgp.exe	101
PID 4620 wrote to memory of 3524	4620	Pcegclgp.exe	101
PID 3524 wrote to memory of 2132	3524	Pjoppf32.exe	102
PID 3524 wrote to memory of 2132	3524	Pjoppf32.exe	102
PID 3524 wrote to memory of 2132	3524	Pjoppf32.exe	102
PID 2132 wrote to memory of 4356	2132	Pplhhm32.exe	103
PID 2132 wrote to memory of 4356	2132	Pplhhm32.exe	103
PID 2132 wrote to memory of 4356	2132	Pplhhm32.exe	103
PID 4356 wrote to memory of 5584	4356	Pjaleemj.exe	104
PID 4356 wrote to memory of 5584	4356	Pjaleemj.exe	104
PID 4356 wrote to memory of 5584	4356	Pjaleemj.exe	104
PID 5584 wrote to memory of 3176	5584	Pakdbp32.exe	105
PID 5584 wrote to memory of 3176	5584	Pakdbp32.exe	105
PID 5584 wrote to memory of 3176	5584	Pakdbp32.exe	105
PID 3176 wrote to memory of 4068	3176	Pblajhje.exe	106
PID 3176 wrote to memory of 4068	3176	Pblajhje.exe	106
PID 3176 wrote to memory of 4068	3176	Pblajhje.exe	106
PID 4068 wrote to memory of 5952	4068	Pjcikejg.exe	107
PID 4068 wrote to memory of 5952	4068	Pjcikejg.exe	107
PID 4068 wrote to memory of 5952	4068	Pjcikejg.exe	107
PID 5952 wrote to memory of 2504	5952	Qppaclio.exe	108

C:\Users\Admin\AppData\Local\Temp\686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe
"C:\Users\Admin\AppData\Local\Temp\686d509c9413e61243b8c661f1577301e1ce95448f4ed71de502785a92eededa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\Ojcpdg32.exe
  C:\Windows\system32\Ojcpdg32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\Oqmhqapg.exe
    C:\Windows\system32\Oqmhqapg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\Obnehj32.exe
      C:\Windows\system32\Obnehj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5164
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5740
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5584
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5952
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        40⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        54⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 420
        76⤵
        Program crash
        
        PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4024 -ip 4024
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
73KB

MD5
56d05219758c9649a77f6d923cc3b2ac

SHA1
125475f20567c71be32c075808449d19048b44d3

SHA256
757d2697d6615bcbc6b9ca9c348afaf74163f56754cb486b9e2056c46b79043e

SHA512
61b6e3567448dae74d6b06d0b22c138fb8d498e4bd6ae113dcc8d9068bcbebfeb7ccb5f3c8bc4674494bbaf087291cf28fd0a80a8ad1235448b0ca8dba304518

Download Submit
C:\Windows\SysWOW64\Afappe32.exe

Filesize
73KB

MD5
2b8301ff9c5820be932a9695d67cf21d

SHA1
518af017be0fd7d691c4a3710360db8b553826f2

SHA256
3f0efa872bd90101f4abdb71d88bab8d95cb68a046f59e629be4e21c2a342ffe

SHA512
faf28d2e40f54862119131b412f620a223587e86816f53249e066b2371c95eed008ec4464c00888906687b36a4b9d81e405a4ac6876c7c8510f8bc046d95f5a2

Download Submit
C:\Windows\SysWOW64\Aimogakj.exe

Filesize
73KB

MD5
398a1a2f8a50ff8568c84a84392e46df

SHA1
f42199f0f9edc225ef4fa733dd4544c5783cf9ea

SHA256
da3821924f6abcabac826d1b99f166c90044b3bc9cafc99970ecfe5a3303cfd3

SHA512
2dabfc53a4cc4ffc41c0455e325ea38189e2d97dfe02bd3211db34ce0cfbfc87abe47e7c796af744f15612d3d1623c8c231849a3ab4e022174253c4d88178753

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
73KB

MD5
464af519a6e2012af761bb51a41f73a4

SHA1
12ea1f01ca0d88c7dddb843de1e6feb09059547b

SHA256
5937b0d57a9b3d36213ba312a293d5c92be1319d90660602082fc825a36244a7

SHA512
8dfcc58fc42ca6cb7f4773106eff956683093a471a1f6e81788d7c531f5ffdfdee776801576d03ec29968efb2ab5896a6d1484447219010a34be7e06fb65cb57

Download Submit
C:\Windows\SysWOW64\Amfobp32.exe

Filesize
73KB

MD5
eb1afee69fa94a6c724e3c35bd475a89

SHA1
89249a2c9281e1f705f17428f6ca7cc0607277da

SHA256
d68bf13c73b38861d5fa83e9229abf549b7a2aa08b579668ca7e0c6581a730da

SHA512
4dd40e5041563b9b02210c48f21ff750f19ac099bffce7dcd47626adaae619c1b8c3fe07a45c4c69f5014856a70ca09a6eaaad638db8b8572719dc79e558f3af

Download Submit
C:\Windows\SysWOW64\Apeknk32.exe

Filesize
73KB

MD5
0bfd1675613dcedda0726a5df4500bab

SHA1
9345982115f3325c06c9cced15b80d4fc1cb5e63

SHA256
7e71ab7242d4a6db3017a4c99a7e93ab8439cb248e620d687ebdce17ee067fdc

SHA512
e6f6fafc4d39b1037ea7ee53a3bf3ccc1f01581ccc0c7dc4a638e38c3d12e97c35107f82949cacd9be0c66ed05bd7daa06a200dc746851a7c0820d87aa4961b8

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
73KB

MD5
3282c5cd8661ee2e6ffff4a4135ea597

SHA1
412cdc29b877146fadb513212b7b170b0679ad3d

SHA256
8a7d07a2f3bdaf0addf337e765ea4396fb98516508b86071a3aef8fdf9687469

SHA512
1bf12a528d6145a69218cda1e74ae86452cefd80e63f58b72596932bf49eb169d54353d1afde4e008f79fa8bd763f8d3829ba8c368b8e9ee6808d46747fd8886

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
73KB

MD5
0e127ad41541492622bc605e01a6802c

SHA1
2fa8d9e5c213b169c9962954fc6ac947e7afad87

SHA256
b94fd6980db1d4824b543925fb67f176cd30e7c9daad4481fa6c208bac45b895

SHA512
1d16e971e3dc90c262933cc6dbb054189a6ed107aa3098318386b0609cb1cfc19caa7fe00e50c02277bbf0d8c9b1a439d8741eeea8ebad3b75e85b33e84d3f14

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
73KB

MD5
4d3808c61b3bd81f9adc00984abfca8d

SHA1
c9f6f0e5f018e27f03bf18db0e31104a6ec66c79

SHA256
8f2f6b0edf200a86abc86aa839d8baafd3cdcd15a3187053ae6df36fd737e28e

SHA512
bae2f66dbb6d8a2e2afd634bd84010f9ea6f6d982c50c51d0bcb21dd0ba198c7cfc756cfe674db9580d4314094a35c2b10f858fc293764b7ad1e7ea0eece7c12

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
73KB

MD5
7264be60d5bfd453067ebde7ddd11914

SHA1
1ffffd08d21e9eb89418c0dffed6fa5e35988b11

SHA256
c779f1dc4f7eaf5e4575917050bff67b3908f7cd431063a1c0a238076dda1f8b

SHA512
f5fd34effd6499594ab8d31aff22079efae5a7687772f8d2cabf61902909363c0dc08b7942cc7609624ea942af5336649a3905931cd438058315eaf094f904df

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
73KB

MD5
91c127879578b5c488c4e8d529b10fe7

SHA1
79c1256ba550dbbab64eac45ecc05988af15af6d

SHA256
b5935ee2adcde4d2b69de39de6a5a1233a66e8b870cf2e2b755f8d231a231862

SHA512
71eb80b3046e515e7e111ca134a35a462717c77c6a2ead3388ea7a3d5480c11d62ee4767c019a253fe8245244b6a3277d012179dd7fc3fa42c933ff795082c41

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
73KB

MD5
11ab611249f4bf9cfd42e152353c2b47

SHA1
1473c92fc17db3122bea657bfd54ce8209e33e44

SHA256
3ccf94bd4d194bccc70225dd52bf1d18fdb67d54bb48cf331ec1cfb8cf8be818

SHA512
dfe9767290feff423ca3b10c8b9e3062e43dead303b66c2ec71dcafe1f51c035c5a1b7f64c4dd6af335b4b6b4803fdc97fb734f772016db0b4f07c1df9a2b718

Download Submit
C:\Windows\SysWOW64\Kpikki32.dll

Filesize
7KB

MD5
365feccdf71eae788b7c6e820895f97e

SHA1
f71ec413837b1cee172a7a9e8119acc920d7df8f

SHA256
75252673ab72acb60f677a641d8ea3512a0f2c6d1d5894d3787b713268d74d61

SHA512
3ba87978eb9258a3cecaedde4a29164b2702d10860d5c625e8d709b0470688320b3c70e315cec96aba904a1d6c428126fce7236fd733a9623f4853af3448f390

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
73KB

MD5
c8f7b79ef3d159cfce3e0d0f8b27a85d

SHA1
cdab1ffe833c9f847502c6867bfb8b206fe4786b

SHA256
3a38c2a7e99c1c1f9dc8af5c19cd122997f3866cc5592a862bfdc763c161d827

SHA512
1d7ec093cdf9ae07ae981a6ee21873da17b963d8a6a000ee43a7e06e49acef3f5970dcc47bf4d07e87778acd927c22355f7b99c96e28e34f022cf2496cd9c609

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
73KB

MD5
c6bbd00c9757862237dfcf954174a577

SHA1
b8ae43f8d5fd1dc6573d84cb89b0a54c044073fc

SHA256
4078696b71225118e722b47575c8af978de548499e1ef9912aacd1d42402ffc3

SHA512
af600c3ee4cffd87b61cb8cd7d28ed6681e78b50a8f80a680b06200bfa4dc8bf910f779c6fec3ceb9d9ea01ef15bd72cb5e71217c489b33853430ef1ca2dfb71

Download Submit
C:\Windows\SysWOW64\Oflmnh32.exe

Filesize
73KB

MD5
f0a373f220faeaf2aad4c15829defa40

SHA1
4436717e9ee4104aed5037effee93688ddbe3402

SHA256
97842a346455f9f531f21b645b47f2521280c38cf8482828a1749d59430636be

SHA512
ea538e80117c59c65392758cde60f9eeb8817492397a1b1f2cdf9c4c2fb4d805d22bd1db6ffbab9c453e7bdc893a83d7b24762d4f5c2dd2fc68027816b025b08

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
73KB

MD5
f1a7351d8fa7f4fa2a9878a846f6ced9

SHA1
6e5f69e61c98d05053d0969362a337f9b276c5e8

SHA256
4d359a5853ce4e51ca09f9a757206294c6df2cbdf2c7097584744d1ab8c20922

SHA512
852b7937b88f4c86b0ac5d7e04120c3a2c2ec0dbfcad417b17a17ec2ff1092c2865bb9f67f0f216f96cc98efcfbb4cfb0a5e089e9e75502983f1674f53bc9e5e

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
73KB

MD5
032fb609d5f8c1871150183e35cbc19d

SHA1
a873f9c596ec07dcb009ac9e7270868a9978f4d0

SHA256
c70f292e5cd2cf6c5b6e8702ae5aeb676cdfa91f4251f1824d90101d67d7ca3e

SHA512
89e21a143dcdcf45427da95c20da28f4a1f240031c99c2139b1058b379fb08ff137ac492a6fcf8d973ae731f29011efe38dace3aa6a5e9efcf81ed50cb8842ec

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
73KB

MD5
8d83cc4696c876925df4711a60ee1067

SHA1
2a94e63a4aaef10279ce3e69c781040b5bfeb11a

SHA256
1a8f54c590e8b501a0493704efe5057eff46db9bbbfa9b8e83defcf250a6b254

SHA512
14dab400daf640a5656d3924e03625764ea83f086159135a62e47956f2e3297ffd20503b003a19aaf1278b40619318f05b6f9a75d03ec77e9cbd5e3360536eb5

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
73KB

MD5
07b338606add9df3f0a529e86f2766ca

SHA1
7d51363b1a600a88170b0231e2ca853290886c8b

SHA256
e29586f9c9e314b25f0833d2275d66a8c3d8fec9f026beebd45d5b4222c32a84

SHA512
ccd0b2e401761bee145692d166ba166389622dde4b9deb4734c2e30b29f622ee4d344206cbfab57d689a8dbd769ecc68c803661b1ffcc1163b3d5d53cb99af6b

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
73KB

MD5
ba6d06fbff314bc7846592d1774867de

SHA1
c87c86db9c6db4f9a085ce57e692e56ff6f88ee9

SHA256
7437a849606dbcd66ba7ebf2c6a9e22ed90c87b2b0ad331e739528ad4f52d739

SHA512
97da1c7dc170c74341f640a488560f3a43e9c258163633de14c283731b075f260ac47ea93764e5379c307ef629b057458774c3df77b9c11a396730256b5ff523

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
73KB

MD5
b7543c41f2575ee2e214a5693a93ec00

SHA1
010abceaf0200514fa82393394096dc5d7d2779d

SHA256
0e6d214d0eb498fa3b46793f7daa0c5df23032f191e8cb89954269a909321f74

SHA512
2fddc04406f1e76140bccdd13b2d89928bf6f601e7f203d8bd509198dcf56879d33bf1ba877e5b1f378b31b1f073176e696d8d8ee7d138f297b62e6cb8ec7ffd

Download Submit
C:\Windows\SysWOW64\Pblajhje.exe

Filesize
73KB

MD5
714f41e5078c49b9983feb4d1c2f05db

SHA1
f24b49fbbccc89de1ffce4b83d861f04c614888a

SHA256
4e85c6c25bab083949c6df2285e2cd19284a9fe010aa600f1c3e699b2518a3eb

SHA512
0beb80173bf64de64f0a342c8c07fd23ae740cb277c97701123e697f617063a3feade9051e573519ff98828e39221177826a3a0d0f04a5b0a7699f20a70168ab

Download Submit
C:\Windows\SysWOW64\Pcegclgp.exe

Filesize
73KB

MD5
2cf1ade56b003dfdad0e658c7625ed34

SHA1
83e23992a0b3dde4f64b61cb75769ef48938a36c

SHA256
ec05d6b187027e0b687cc8e0df3705ca5a659974a72edb3f42b50f400e25c0c8

SHA512
98890eaf07d20e8aa5059edf49f78846eeea7b4967e107691b320faa0009771295b362325d5ba6341a43a27af517b5280a2dac35714b302545df2122ed37e6cc

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
73KB

MD5
30e4e50863d89ef9057f29001f094707

SHA1
64829a435b7f957beee0bd5abdf8d378cfe0fcb0

SHA256
b415d34e04754715e75960badc6609ccaca24204997deea9d7d8524ef433784a

SHA512
57c81af276453f5c477c1b002f05a33d61733edf2ac6382d1f24d998fb99062b4a45a3ce256f3bbfed2cc547279d4ffe56583f6a3314053ca95eda1a41f05826

Download Submit
C:\Windows\SysWOW64\Pimfpc32.exe

Filesize
73KB

MD5
e2427bc344963f3a2b948476901ff163

SHA1
6f8263c795ed3c706c4faf37c3e433307ba34b3c

SHA256
d1bf50b1b220fa4a9d453f67eeb15f0c7ebcfca1d817faa74286cc2ae2a0a913

SHA512
9bd20c27f6e46a84fa911c6d736ce3916519bfca8df2c88ccdc6d31554e372685910d9c973ae4de466309c7d1b00fe5e81225625eefef144b158d448813b13de

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
73KB

MD5
82f136bd782ae82d2876e6dad49033fd

SHA1
531cae7282fe95747a11dc47e7c2e66cea72f6e3

SHA256
e6d4a1abc5f4caf483ec14ab840716d0b49413ec7a8c888bdb19396b09f976af

SHA512
0dce366fd8b09e93c2d172cf7f3d79cac296a683830bf287ea2ab3ad5ce1f88fc934f90ab7c5d9b307602c82cf1f7e0af2b2f01a955b7a3deca6f0132a8a2a4b

Download Submit
C:\Windows\SysWOW64\Pjcikejg.exe

Filesize
73KB

MD5
9c1d6781b8418822f8cddb7e97ca85ee

SHA1
37edd4fa7a02dde1043391a8b574ffc2adef4ed0

SHA256
65c5d581f24e343508704a0c8225801c4a1f79b4ed972e1d37b9d363e5a6132f

SHA512
18386c93aff69cebb07009091f0a20fdb6a0416f320dae4e5e94ff406ade3b4c5e181943ec9859c71e4800de402b981b8f3b5e6d0c25091472c77826afacb486

Download Submit
C:\Windows\SysWOW64\Pjlcjf32.exe

Filesize
73KB

MD5
cd489876bc3ced582c67e11209d2f360

SHA1
c53ff86eaf2fd918beae78fa5f2d9df98065bb6b

SHA256
735fb847d610c6448add832e9ef48e1592b5b18cbd72bcd70ec9b62ddc777b03

SHA512
17b7e59267759c8c142b5ef9c412f30718c9ab9e89e2999ce5f2a4ba09a4b8175be6deffa97f07bd69aa538a0ff7e529a7005436ce059ab2983a9bbc9c59a7e1

Download Submit
C:\Windows\SysWOW64\Pjoppf32.exe

Filesize
73KB

MD5
36978be72305dc789179908ad637b28b

SHA1
bf6c4bbb75a4694cf7ed9e7cb5f64102e43aaba2

SHA256
6a892bb60fdd6a18d098a9d74c0828951b2c04db2c8b6bc28c80147e1e012b3c

SHA512
b60bce029d0cb95210182c1511ba03b7605c310732bfc6ee8995bf47e96a1761f5780f364d98fd67460046546f90e5c4e4f93bd8a9fb0152c25aea68af73c4a5

Download Submit
C:\Windows\SysWOW64\Pmkofa32.exe

Filesize
73KB

MD5
205ce5bd91a7392828d75c83517c1244

SHA1
eb144499ae9957a6b4a0e088b9eacf3bde44f290

SHA256
3ca3aa7c222b0722e3a953b4be7893afbf8804e31856ad13f30776757b6b5a13

SHA512
1074b0fb27f6d73fbb8b4a4150f938ca6acbffb4dda6446200499678afe73eaa72562542d3efad55282422ca9a61ce03721d699e33f4b4197b0a5d5d0aa779a3

Download Submit
C:\Windows\SysWOW64\Ppgomnai.exe

Filesize
73KB

MD5
077dc415e2b14905a6d46911bc80fafe

SHA1
989c36797ffbab56ca8d263388e08f530bf4e19c

SHA256
7410567684af718657e672faceb2878b42411de5cde9577259ec0723f12faeca

SHA512
bb9a55cb7ec33bc237261e75b4718f1693019fb450383289dd7476220a7add4a07b4439317b9f5936562e3eb722ac17455247acb34dae199c9695a488367bc94

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
73KB

MD5
5d528c4981da9e4cbd63ed3666e07c2c

SHA1
3b7ee1f185275dc29d89304282fa96a6f4627157

SHA256
a19a8bc17a2a6d90776c3bbf386f1f1c5bc6c2485b1f99cecce71861ee4402ff

SHA512
8dd783af909a3071a199660df0843084c7fac681af33413fd1166541e69327f202c771b1d0d62a3f12d73f2e86c3d070bb030daaaa6ee82d1872418c62e3293d

Download Submit
C:\Windows\SysWOW64\Qcnjijoe.exe

Filesize
73KB

MD5
e4b71fb9f30eb2e64fa59d651485d91d

SHA1
b376e6632eff7c1dbc3e7ac2d985cf1b18b531b1

SHA256
f9548e007b8f64f881963deabefabea2786f8e9f2ff2daa2e0ea9a3de98da7a4

SHA512
f9178bc7ada0020ef1185a9d06afafd02956e2be44b6be737af690c57a3612084512f3f418633e4a9cf0f96ba9eaf1e0f5f40c493591aab81889328311331750

Download Submit
C:\Windows\SysWOW64\Qjffpe32.exe

Filesize
73KB

MD5
79ce7a59a72a5b88ec6c8635a4438631

SHA1
dae3a783ca7777b11db6707f362a1bece0fdca71

SHA256
4bd885360a842e3805e9b81da667cd25ae48dd3d4d6b3471be027d299b9f22bd

SHA512
c08ce74a4797d46b5870c6ae9638e80ff36bba65541136eac3fad3312cd9f4a5a4c9a8d8bc9dccd1a5c973c964deb725d256457f37e36794cf381c8cffa321fb

Download Submit
C:\Windows\SysWOW64\Qjhbfd32.exe

Filesize
73KB

MD5
8c8c23f8f685bc62fd28c18c528d6b69

SHA1
9ba2a90bc978308255dc2bd306901398d4334df4

SHA256
672ee4b09d2c7759cb366220b92e43a7632569ac857622ab10c067bb7eeba152

SHA512
1185f1a673ec2c706d677cf0223bfdd84de21745fc338514aa16865389c80c11f617019e843733cd10dad61d74efeb9908f61cee53d6b689c5e04b7ee25b1a68

Download Submit
C:\Windows\SysWOW64\Qmdblp32.exe

Filesize
73KB

MD5
89cb453cde9d78fd474ac15d02759ed4

SHA1
e28ae94c043c62ef9982de7d35944138b69def2f

SHA256
0e0a0108135a1afdbbf5af723ca473ac31d9d308e6900a971e1807a410182552

SHA512
f5fbb4478d9a3868a68e6d25e1a631781a6aab76d0d3dde8e8d408c935e0b361a3bbe24a4975de391deda916e21bf52d2bf47357dcb808c746c9b18855bed6e3

Download Submit
C:\Windows\SysWOW64\Qppaclio.exe

Filesize
73KB

MD5
9e141c9ff1a27e3ad43e7086cdfd2ea0

SHA1
a5b5dd1684545904982a3fe6b9f0ef3fd2a5b96a

SHA256
74e8282ea9cb0ac55b1959d0ebc01c01f8b479caa9a41ca6fc0fc931a91c727c

SHA512
12f9f6f0be4188a5656c903034bc7a63e646b7314c5b70500b0d41136c1f23f5352548babadb06336b435aa194796d3d8596fbfa40d9484031a13c9c08172d33

Download Submit
memory/64-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/668-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/668-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1068-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1096-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1096-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1404-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1404-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1828-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1828-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3360-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-505-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4200-524-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4200-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-517-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5152-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5164-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5256-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5280-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5280-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5288-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5332-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5352-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5352-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5364-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5364-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5584-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5596-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5608-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5672-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5700-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5712-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5716-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5724-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5740-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5952-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5996-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6104-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6104-523-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads