berbew | 8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7N.exe
Size

256KB
MD5

fbc4e609e218f3368acb82152e2e79b0
SHA1

6c7d58b283c77726bf3edec545d6b9c206363f2f
SHA256

8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7
SHA512

ae85804af773362d336fd847f2eca23392d0a7d9bcb99b17fc2178b52d041f319f975f939b143486e045a5dc83e5787623c0016b5930c149872eeec7cd8b5204
SSDEEP

6144:CETa3WaEV+tbFOLM77OLnFe3HCqxNRmJ4PavntV:jTm7tsNePmjvtV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moalil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfdk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
5048	Ieqpbm32.exe
4864	Iagqgn32.exe
4044	Ijpepcfj.exe
3344	Ihceigec.exe
916	Jbijgp32.exe
4496	Jehfcl32.exe
3032	Jdmcdhhe.exe
2740	Jaqcnl32.exe
644	Jelonkph.exe
3696	Jeolckne.exe
4764	Jjkdlall.exe
4272	Jbbmmo32.exe
5060	Jlkafdco.exe
4388	Kdffjgpj.exe
1344	Kajfdk32.exe
3624	Kongmo32.exe
1648	Kehojiej.exe
1976	Khfkfedn.exe
5024	Kkegbpca.exe
452	Kopcbo32.exe
428	Kaopoj32.exe
3340	Lbqinm32.exe
316	Lbcedmnl.exe
2280	Lahbei32.exe
4832	Lajokiaa.exe
4364	Lcjldk32.exe
4936	Moalil32.exe
4572	Maoifh32.exe
3816	Mdnebc32.exe
2904	Maaekg32.exe
3288	Moefdljc.exe
1140	Mlifnphl.exe
2796	Mccokj32.exe
3756	Mkocol32.exe
4700	Nlnpio32.exe
3872	Nchhfild.exe
3496	Nlqloo32.exe
3192	Ndlacapp.exe
1128	Ndnnianm.exe
5020	Nbbnbemf.exe
4088	Ncaklhdi.exe
3052	Okmpqjad.exe
2420	Ocdgahag.exe
4812	Ocfdgg32.exe
368	Ofdqcc32.exe
1512	Ohcmpn32.exe
2040	Okailj32.exe
4424	Ochamg32.exe
2408	Oheienli.exe
1528	Okceaikl.exe
1492	Obnnnc32.exe
4488	Ofijnbkb.exe
1008	Omcbkl32.exe
5008	Ocmjhfjl.exe
1532	Oflfdbip.exe
2320	Pijcpmhc.exe
4556	Pdqcenmg.exe
3724	Pmhkflnj.exe
4440	Pofhbgmn.exe
844	Pkmhgh32.exe
1152	Pmmeak32.exe
2212	Qfgfpp32.exe
2216	Qifbll32.exe
440	Qmckbjdl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmgglf32.dll	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Jlkafdco.exe	Jbbmmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ochamg32.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Jehfcl32.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Eiebmbnn.dll	Ndnnianm.exe
File opened for modification	C:\Windows\SysWOW64\Pijcpmhc.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Gjmheb32.dll	Iagqgn32.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Lbqinm32.exe
File created	C:\Windows\SysWOW64\Emnhomim.dll	Mdnebc32.exe
File opened for modification	C:\Windows\SysWOW64\Maoifh32.exe	Moalil32.exe
File created	C:\Windows\SysWOW64\Mpaflkim.dll	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Gedkhf32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Jjigocdh.dll	Maaekg32.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Moalil32.exe	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Jcokoo32.dll	Ocfdgg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Lajokiaa.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Mccokj32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Hiocnbpm.dll	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Ndlacapp.exe	Nlqloo32.exe
File created	C:\Windows\SysWOW64\Maoifh32.exe	Moalil32.exe
File created	C:\Windows\SysWOW64\Mkocol32.exe	Mccokj32.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Kajfdk32.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Ohcmpn32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jehfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Moalil32.exe	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Jeolckne.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Cfioldni.dll	Moefdljc.exe
File opened for modification	C:\Windows\SysWOW64\Okmpqjad.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Ofdqcc32.exe	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Mjfkgg32.dll	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jeolckne.exe
File opened for modification	C:\Windows\SysWOW64\Kajfdk32.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Mccokj32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lbcedmnl.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Ochamg32.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Ihceigec.exe
File created	C:\Windows\SysWOW64\Mjicah32.dll	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Nbdenofm.dll	Nbbnbemf.exe
File created	C:\Windows\SysWOW64\Cqgkidki.dll	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Akihcfid.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Kehojiej.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Cdpqko32.dll	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Kchhih32.dll	Maoifh32.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Paajfjdm.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Mdnebc32.exe	Maoifh32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbbmmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqloo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlifnphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphca32.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdeb32.dll"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiphhpk.dll"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mccokj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbikenl.dll"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmpakdh.dll"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjigocdh.dll"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnggccfl.dll"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdgahag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lahbei32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 5048	3208	8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7N.exe	89
PID 3208 wrote to memory of 5048	3208	8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7N.exe	89
PID 3208 wrote to memory of 5048	3208	8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7N.exe	89
PID 5048 wrote to memory of 4864	5048	Ieqpbm32.exe	90
PID 5048 wrote to memory of 4864	5048	Ieqpbm32.exe	90
PID 5048 wrote to memory of 4864	5048	Ieqpbm32.exe	90
PID 4864 wrote to memory of 4044	4864	Iagqgn32.exe	91
PID 4864 wrote to memory of 4044	4864	Iagqgn32.exe	91
PID 4864 wrote to memory of 4044	4864	Iagqgn32.exe	91
PID 4044 wrote to memory of 3344	4044	Ijpepcfj.exe	92
PID 4044 wrote to memory of 3344	4044	Ijpepcfj.exe	92
PID 4044 wrote to memory of 3344	4044	Ijpepcfj.exe	92
PID 3344 wrote to memory of 916	3344	Ihceigec.exe	93
PID 3344 wrote to memory of 916	3344	Ihceigec.exe	93
PID 3344 wrote to memory of 916	3344	Ihceigec.exe	93
PID 916 wrote to memory of 4496	916	Jbijgp32.exe	94
PID 916 wrote to memory of 4496	916	Jbijgp32.exe	94
PID 916 wrote to memory of 4496	916	Jbijgp32.exe	94
PID 4496 wrote to memory of 3032	4496	Jehfcl32.exe	95
PID 4496 wrote to memory of 3032	4496	Jehfcl32.exe	95
PID 4496 wrote to memory of 3032	4496	Jehfcl32.exe	95
PID 3032 wrote to memory of 2740	3032	Jdmcdhhe.exe	96
PID 3032 wrote to memory of 2740	3032	Jdmcdhhe.exe	96
PID 3032 wrote to memory of 2740	3032	Jdmcdhhe.exe	96
PID 2740 wrote to memory of 644	2740	Jaqcnl32.exe	97
PID 2740 wrote to memory of 644	2740	Jaqcnl32.exe	97
PID 2740 wrote to memory of 644	2740	Jaqcnl32.exe	97
PID 644 wrote to memory of 3696	644	Jelonkph.exe	98
PID 644 wrote to memory of 3696	644	Jelonkph.exe	98
PID 644 wrote to memory of 3696	644	Jelonkph.exe	98
PID 3696 wrote to memory of 4764	3696	Jeolckne.exe	99
PID 3696 wrote to memory of 4764	3696	Jeolckne.exe	99
PID 3696 wrote to memory of 4764	3696	Jeolckne.exe	99
PID 4764 wrote to memory of 4272	4764	Jjkdlall.exe	100
PID 4764 wrote to memory of 4272	4764	Jjkdlall.exe	100
PID 4764 wrote to memory of 4272	4764	Jjkdlall.exe	100
PID 4272 wrote to memory of 5060	4272	Jbbmmo32.exe	101
PID 4272 wrote to memory of 5060	4272	Jbbmmo32.exe	101
PID 4272 wrote to memory of 5060	4272	Jbbmmo32.exe	101
PID 5060 wrote to memory of 4388	5060	Jlkafdco.exe	102
PID 5060 wrote to memory of 4388	5060	Jlkafdco.exe	102
PID 5060 wrote to memory of 4388	5060	Jlkafdco.exe	102
PID 4388 wrote to memory of 1344	4388	Kdffjgpj.exe	103
PID 4388 wrote to memory of 1344	4388	Kdffjgpj.exe	103
PID 4388 wrote to memory of 1344	4388	Kdffjgpj.exe	103
PID 1344 wrote to memory of 3624	1344	Kajfdk32.exe	104
PID 1344 wrote to memory of 3624	1344	Kajfdk32.exe	104
PID 1344 wrote to memory of 3624	1344	Kajfdk32.exe	104
PID 3624 wrote to memory of 1648	3624	Kongmo32.exe	105
PID 3624 wrote to memory of 1648	3624	Kongmo32.exe	105
PID 3624 wrote to memory of 1648	3624	Kongmo32.exe	105
PID 1648 wrote to memory of 1976	1648	Kehojiej.exe	106
PID 1648 wrote to memory of 1976	1648	Kehojiej.exe	106
PID 1648 wrote to memory of 1976	1648	Kehojiej.exe	106
PID 1976 wrote to memory of 5024	1976	Khfkfedn.exe	107
PID 1976 wrote to memory of 5024	1976	Khfkfedn.exe	107
PID 1976 wrote to memory of 5024	1976	Khfkfedn.exe	107
PID 5024 wrote to memory of 452	5024	Kkegbpca.exe	108
PID 5024 wrote to memory of 452	5024	Kkegbpca.exe	108
PID 5024 wrote to memory of 452	5024	Kkegbpca.exe	108
PID 452 wrote to memory of 428	452	Kopcbo32.exe	109
PID 452 wrote to memory of 428	452	Kopcbo32.exe	109
PID 452 wrote to memory of 428	452	Kopcbo32.exe	109
PID 428 wrote to memory of 3340	428	Kaopoj32.exe	110

C:\Users\Admin\AppData\Local\Temp\8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7N.exe
"C:\Users\Admin\AppData\Local\Temp\8d48ecd87e0d6f6d97faf98647424cb176df35a64bfcbf6ea19382831d70cec7N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\Ieqpbm32.exe
  C:\Windows\system32\Ieqpbm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\Iagqgn32.exe
    C:\Windows\system32\Iagqgn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\Ijpepcfj.exe
      C:\Windows\system32\Ijpepcfj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
      - C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        58⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3036 /prefetch:8
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
128KB

MD5
0d972d55b2377001fcc835d06cf8f82d

SHA1
4189cb54c9d955822049b2509ce92992dec2dc6b

SHA256
a9cd1098520f906aa2eb0a0b8df47b4d18c6daa8e02a8cfe6d4f57e78725d175

SHA512
98b95a5b3d15e17860d00bef78bb5feff557968fb292be3d6cf97d56d5a2de83d275b5aeaaa2b9c6d5d65ff8482579f5874960bdf8a7adbd53d1256d5215b984

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
256KB

MD5
1ea1e3698e430721fcf1b337d4de8fb9

SHA1
c36a2f5547f432e998a88283d3140b54e6f78de7

SHA256
d0f5bdf228d5fe80572327032f3cc4d7749ce4a753b78c78056b2da08e11c79b

SHA512
24cfd301ec038835a410bf70993bd3c11b0cf5dae88d8b925f5e08049831e32281a6819d4fc072fc80c1517b19c6244ed08d2429d9a369d6d3a017f2b9e03a4c

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
256KB

MD5
90c97f53f458525ecde2aba58b9209c9

SHA1
acb329ceb1407cc532cd6053d05d7d7559b15421

SHA256
ae4d73321789027e98db85a18248b5f8266928bf1cf0ba08b0f558ab40d62ccb

SHA512
b25e1524403f30176d993958a67390a48b99d6abb1e6c300abc36744559f592fe128608d4be4b2b4ca924069f6d8c3aba70da344eb087f517335c87e2e719e3b

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
256KB

MD5
340ef3b6c175acc5a4dbaaf297579ebf

SHA1
def1b1164fd7c552c90a3b3af59a70500d8d7a1c

SHA256
c183d3775df0b7549b175678872256f8d7392105a348c722381e11bb9b88163f

SHA512
273f3e94e53e78cc023129cad3f3f61e34165a4ed74abb3ca6ad3ab3d61752ead5549df92fedac72bbf6624e7eb53f9d1a02c9ff15f264c89db91792625df797

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
256KB

MD5
92271110705d240fdf79e783273d58d8

SHA1
5b959bb262eb3dce57c1dbb7bed85e31fd86fc6f

SHA256
152aad9ae1da869e119d59147bfceba500da0187aa2bff593883400ec7cd4c58

SHA512
c23021130b0c6381ee641fa6f2335a337471e8c52b489f9cfc2cbc408db5def4af93b794934e156f51c95cfef61e64b0528388ec67171904697d1a958b7ced51

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
256KB

MD5
f061e2457a59441cc67e23c92887c3c7

SHA1
eb0601574a9b52368eb0f77679e22a59dfe35f4c

SHA256
f9e7f6fa0aff7f435c05f25a88124479e3df2236daa1348341a5a4d1df898388

SHA512
da074af6bb90edd589822a6c0065f8a23f4deacd6b5d69b2dbf5316caa6f0f0ffc05a32bebb98c51cc54c20705f6170eedeadb90d1ec390b24fcbbd7e791d25b

Download Submit
C:\Windows\SysWOW64\Jbbmmo32.exe

Filesize
256KB

MD5
0856cd9c484dbe9ea97be2a0f16cf537

SHA1
1f12e6846c0390dd26b966fa0db4aa8b5614917c

SHA256
663d39447d4ed5d58721d810be00bf1fced535d26a1e60dd981951e631ac4b1d

SHA512
21d08aa447ded922139ce06c5cd1462b7597ad414ac8db8329dbc80a7c87c8adb1f21e49999935a400b65b7e77128bf39a666b405b2909b412e9be96e1aa4ccf

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
256KB

MD5
41bebaca7721627ecd4a1d52d7ffe2bf

SHA1
7bc84627cd3153c5a7e0c250c1749edc51abbcf6

SHA256
93de3a2736af810cb3db3e61a4befcd7b41ee1430cf69d6f7f3ce230d4c6986f

SHA512
7bc0a0cf715ac17ee329ca38663d95dd7308dbccf38ac2b921ccb4a959e87ebbefecbb092cadf0158799183915bdcbd1dcb6f009a90decbbde6eaef05bfa103f

Download Submit
C:\Windows\SysWOW64\Jdiphhpk.dll

Filesize
7KB

MD5
af2dd02f20f110a59d6c9faa6a5ca942

SHA1
3b6fd2480ba1ff66673cedc0a719158dabd9eef3

SHA256
7afe256b717fdab9b70eae85e2dba24b9f200a9f42fefc975ccf8e23e3abb5a4

SHA512
1c972d7301b8f32b25c0a1bedb40bd8ea3fad6a4fb76effc844cd3560e425fcddf4c458c1b853ccc808ffe1803f0bd9eb23bb7162081ede6897fe84c0f5d95f7

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
256KB

MD5
fad83ff250afa4346a3568d3daad8f7f

SHA1
0222232a05b6894b37f11199399fab4274363922

SHA256
70ac42934a2c483a102d595c424d93d0e4a3a96e6c000ecc918134507fefd6a8

SHA512
aa2a4ed8ebb7a478a150e78be9815d868423f04cfed6a6149283960a109a5a6521989544238d77bae97e0f316d5d89f3a1ee635041cb27c7abe59782e7468c74

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
256KB

MD5
91aebbd9b94fa8013c8befd3bfc177be

SHA1
48892a7dd28a421cd602199a70f2f13d9c955b3a

SHA256
1301f85171f774d67cfda8c3fb71e0a07ff166b7350033accb67d20ae0cde73a

SHA512
1fecea9f55ea1b6f551cc66504f166717c6c3c41a1eb76cc9705100891a0897ad00b62011423e4c8c9f166426ad797410a3680bd1082b59b3fb317cb1655937b

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
256KB

MD5
ffb63ee4fd9318b1f422ed41580c53d5

SHA1
63eda0951dbc72c11091a87ba7eb94dad0a4a0cd

SHA256
cb56c11cbccb2a957c23f387c3dce118acb6a5a156fac39c7fcdf5ebf559b060

SHA512
d3d153c5894b3f35500e2c9ac5d170d7ca98a2a75b5d10b037676a247508f8b0a82f74205940b804605669e0b4bbff108adf66614b79d840206e1fafb5ae5f83

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
256KB

MD5
e635d015708fb724348344461605fe21

SHA1
40ee8b40be1d11c4c9f9006d907dc37b541db864

SHA256
3ec2384f700680e0389063bd6fd9f6405d239f66c2b829c439710d3c04ab8f34

SHA512
da85bb44adabe1e3063974519d3785cbb9762c20afe3d343244b6478cbafa427e8d18287e65ab2de4280115794d1f5d88530d3ad6ab0348a7f7baf329d36c0ee

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
256KB

MD5
45c04b93f611f2707f77ff316e7bdcbf

SHA1
b9911c20497e2e96c68f5531981ac9c43f2ce3a2

SHA256
435722daba486517cf319a8060fcb274db7be8dd7d06c2f946b555a2ac424f83

SHA512
8cebb39b4dd3d20e0b95fefd267c0fa98162312d37de30cf7ec210d5f90be8dc34daa30bd0a26047e9a8931b012c843c9137b77e821e88fd5738ddcf4c18c872

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
256KB

MD5
48d3df277de05cafd22f4150ee28fe7d

SHA1
5026bc41105f09d39bd378e154f6e40333e5d487

SHA256
91a541074a92e8bb7d40830a63e8a5a25fbdb3a151198d17a8aef35a415fc9ed

SHA512
b2e2ddfbe11659b8175f501091842fbf0b4a48cc35de89c682e213676d0ee21b92736cd2394ae3e0d98b8dc30c1a9e3b88880a75f83045b9e5c89917a15a266f

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
256KB

MD5
cd8bb09218e02c0f0d4d98b8db4fc680

SHA1
d8a27d6db3247bc5a7006a034e7b13746f6056d3

SHA256
820e9ed5228784ceb25df85164c85bd42548ebda7cc2e4dec4081796cf8e70af

SHA512
21056f937fbb6f1a97a659c54eb0aa932eaafe7a693b79b2c74b25e4dd9dee2c39265ccce9bebcfaebe4a5403f9a2ecf35504e277dd3019be90578cacdd0b946

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
256KB

MD5
e5214d74cf02f98156a21446e28dd1ba

SHA1
9f792611be1ad0943d38cea0e40e703fa18520dd

SHA256
f48e2c2c9bb4c20ae37d07415ee893d0fd24523eb7c1d1f27830bdccc8fe3707

SHA512
f09ebaacdfdc24aa6b9ac6495697cb66eaf2bc340098836780337d9967afc64d01122325e268074f01a27f495059eb989b321f338fb984d8bc6d1e5b3b56f1c5

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
256KB

MD5
bdbd73dbaced5927af077787f468f8bc

SHA1
185dc834e8542511b9e54ea5dbc1109dd232b5ab

SHA256
5733f3310f643501efbcc61fcd4904d0a9780bd6268ffe674ce4c814ee4a1c35

SHA512
86b6d70a471eb3e55033fa8f7588c59e2cd32cd9aa27f5e9cdbe176b184fda6dbe51be52fe8612011175d3d5dfe573ed1b3759f453f1d56107498e500d7bf3a9

Download Submit
C:\Windows\SysWOW64\Kehojiej.exe

Filesize
256KB

MD5
5ccec1c7e75a0eb7a544b4423e32f073

SHA1
0dc2ab3407f752cf53d26b7a44089a46c2984300

SHA256
25e553937ebb0d805da810e2322ac0152242b8da0bee0c544ae1efa739987511

SHA512
e51df3c92fc6cbf41df64edc16fa431c97d5d86f0353795e274accaf7122e1cff88034ddcfc51ff9ced2f9c20575ef9c2486b0296656a627ca436f296017cfef

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
256KB

MD5
d158fdbafc255f9577f6f6698395c544

SHA1
e32c27c2f407a86d9eadbdd17b87e667b64c83e8

SHA256
f1b60f244d7ee22ed9679e9055bff646b0de4d1c43e6b00c555eff57a74124f8

SHA512
b6e982a4de366c68eaa782ab04045f808909dd1b10a99a6a6c13ac5a8ee89b5d9ec5fa56fa2b19da175184a0ae22cc21dfb71cb40f9346e3dcc57e3dcc6e9c41

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
256KB

MD5
f367bc80fc1ae1edef36a0b62906b905

SHA1
e21fd5987f4e16c74da0f5830bcab845f1267eed

SHA256
3b6b943a6dd4ae665809e03551dd19d87549a5af671ee8a97f3e8683f7b4a570

SHA512
b2ec2f761275cda6bf74c0c0135b89c0ef3c6d81bcd8d2328e3fb94552609744403727cd6c1c8a1cc58303e83027eccb20648d42cd672beebed1427b62cf82f4

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
256KB

MD5
ea66db91fdc03b06070403798782f3e7

SHA1
c2111d41bc2ca70007bb29bbd7ca7e35851dbcde

SHA256
383e32117170eafb83bf900c33c4618084b4b6a11c103cb6e92843994e558e2f

SHA512
9e65537ca059f56d72ecbd7d7db8fd52e85b6388e0d96ac4c5f231371484a4f92046780b653cf94516da366b42c0403e6fbd63275c1af125755a2781b05438bc

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
256KB

MD5
f045f9edc12c840732fc5941012548e9

SHA1
b2c385b6bb052a31df967f9455cc27c060b9051a

SHA256
13fae4bfd821436b298d202148c448edf20a14d3d75b31b8aed782faef89f66d

SHA512
7aea01ca26f3f4a9a756381d68b4e519cad6580f30a603859d5aca9a018eafb7e144279c5a8e536a6d5867375c65f17557d9ef9dfb18f15ca353111673e94712

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
256KB

MD5
fb23526f4a1e55a013bf7c25dba0ce1d

SHA1
ac1b23ec8945625e6aaf0b5d607b05596d6babf4

SHA256
45e00e1de64582649bc9270514b6c8bc623fa9797252aee8a7513c6009dbcc17

SHA512
d239f539c29d22ced34f89c326d7c83f9eb15369eba1db063eb10ffaab4fa92b68d908cf4eea838b777dee0540b29243d1cac38ac9c60cbbf7dbb945be71ce2b

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
256KB

MD5
8e8303a9812ec307d5388104e9b3ae3c

SHA1
4f464e610e6bcd0fa5331572b350b9e89cee0b9f

SHA256
5f026e09ce46615a056d03be174a03bf45176792c07dccce541484a5d9e039da

SHA512
ceef29fe8059fd35b00b7680d0d6ebef0be5cf16ebb867d2ad1e2c257e17e6334b2453c59b8f279ba148672241fbc14ed9c5420c41d75570a2ef3cbdaf461fb8

Download Submit
C:\Windows\SysWOW64\Lbcedmnl.exe

Filesize
256KB

MD5
0f1325d0a345ac6e7bc06a11d06f5742

SHA1
f1ac7377baa5ea3edad5efed63067a19defdf288

SHA256
b95d4978acbe242c9e1bb00d455aa5627449beaf491528f235f274b090dcfc2a

SHA512
dca5ac1ed9e170e5be129fffee72750a901ca9983eb18ff663efd11d2a5a48e0ff5f84a25aad1993454bf725722258d723839b28bf58a602b355cb64274177a3

Download Submit
C:\Windows\SysWOW64\Lbqinm32.exe

Filesize
256KB

MD5
3bdebefdf7069d01a4bf5584675edca6

SHA1
28bb33f13525baaf8adb23c9d48dbb66539deca2

SHA256
ce52a7696983f7766dac71f9f3434305658f86f8b7588297e05a21a3087df481

SHA512
f4daf209756166c23852e4ab69a35f832ee2a5aa5065e9782b9aa2be204c94d5a627e899641612e7fa7a4a68c0be8dafdc63fe150c1a07be020ed739a95a26eb

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
256KB

MD5
815106ce41132fdf3e6490101bcd28c3

SHA1
8b0fe3150d631bf7a46ead04c924fae36726e98d

SHA256
81ec79d55c63be476d882745e1cd4253ee099d088673275e4d3f14218dee9f12

SHA512
972b558d3b1d7d7f21cd89c6740ec7f438fc5d6323df326ae09a393aa7ee8684df3ceac0f4ac9c4bdd0679c97a38d5e33ec27ca6297ee69763861e3f91790007

Download Submit
C:\Windows\SysWOW64\Maaekg32.exe

Filesize
256KB

MD5
314f74e0bf4b2dba966df3501e61a71f

SHA1
4ae94589bea0e9ef629e2063c1ccb6c759d4191f

SHA256
2952cc05f6dc576aefa1f1105c224f85846bf0ab7bf08c22c79d9b7be6373f40

SHA512
2a072d505547e3bcee1adbd7d4e6e32765df78f4b7abdb365fbdbc87f23c5dcd11d5b191a4c2ff66437a966b562f6711f05e4d97a7f4c14223a86cf7bb67eb1c

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
256KB

MD5
218ba7a472a6e8947b4b1aa0d01811f6

SHA1
2743ee41b0b981221aa8f7a0d2132729f97f0c39

SHA256
1cb871512cd1c2417f49911c6c0578dbe244c6147d4c39f77bbcd7adbc9bcfc1

SHA512
351dc9d1be2d7dac35be67cc6b61eef46d72f1fe96915b9b5da181984cf4d9c8a961ea579d80498beba2d71d874bab75d32baa792a8edb78cd8240bbdc6e042d

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
256KB

MD5
0a86e4cc4bf52e839a9890ad9c03530b

SHA1
31dd5de27022970f1846e51ed17fd3fc7e88ecce

SHA256
b1825ff7f09c6d0045a42515a2cf08ef8c01cbaa1876c4361af8b843ae88390c

SHA512
58e16f80816b344cd3b5755fc87785d6c8cc651d96f424f860bae6280f035bf83049c63836caf23f5a053cb6139b3537d2af88d961d021798c38f2c9bb1b486d

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
256KB

MD5
1267806fc2bdc388b579e448fbf54b8e

SHA1
6d0c68cbbe30e0dc750372827de130448c8a81de

SHA256
e929bcfca1220c0b6f1050a0b9098437a45fd37bd63fa3d4cd3a27e96a80af37

SHA512
6d93ae7e8d0364998725741d925c12775aaf2678a55f8451eb128c07acf1b9ff40d741b9a7e1a99dce301345ab7d212f36b79268bb65297b0fc4064ac7d93de7

Download Submit
C:\Windows\SysWOW64\Moalil32.exe

Filesize
256KB

MD5
3ef1dcadff51e21b19d1fa4e5ab32a81

SHA1
e8b1dfb8938227ab129907412dd86fa8422fd77f

SHA256
8a49e98a81d57b49d81d008f5fa8233caa32c29ac7e897c7a29a0085e45805cd

SHA512
20cdcbe1527cdef04daeebd48fa34dbe90ddf3385361aafb2ec0194a5f81aaeea5ca11bf2e1166d43d2d78b5bee250bb52261a31ca6dc9febf33f705f42dfd20

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
256KB

MD5
b8bb63013a6b1e9b9f0ca520ad97e735

SHA1
c29d960e6b1e8fbdc34bd8a2e1090bff50db4ad3

SHA256
9cfb3c142eb980b3508efa74a7c9eefe7168b515f2d57f9cd45b63e8f71c69a5

SHA512
870d26af33c3deb53924df9a09b9b3a989b9889913cef65653a3724c8c4274007c7a5c4f6301aaa65e799934c9f7e236715c3a7a4c7d0af66e0dc12d1eec98a5

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
256KB

MD5
bc76c1ef4733c44a99d7fbb6f2bb94c8

SHA1
bc321082cd2b70bb6cf996b3a15844d7383f8c2f

SHA256
816a4c3c8c39a13b85d1a2399526968a2b56e1ce3ec9a7abb3ef6e4d8814bb3e

SHA512
d4e24d72a100706419ecb8d460518d9f4333398dd14567e0a7ad215d4a0397889ac37562eb17c8145b06675773306ef5017fdf4fd15228a1cf1c9fa26898ba41

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
256KB

MD5
1a98b3626fffd414faedffe4dfb47bfb

SHA1
a9c85655870a136c1979b66a68ee3bf4c9ae537d

SHA256
9a7ed9f3d083ff499c9e0e80d29256d22e3d9ebf6e9dca188b37dfc0e936ee0f

SHA512
c6523aca9e57e291e16ae12ffb5cc19637127a52b45da2a7c2214dc67da5304c7507eabba391218902bd99bd2764c4dbc4484851650f885bfbe0fa4a293e0a2f

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
256KB

MD5
3cd7d9bd8d0d525cf59c081f95e45c4a

SHA1
514d7502f6a65df8a0f090c71f1d87cd9349af7a

SHA256
b0f4dc7533f0294fd914f5446be1fbd41a15f361e3f86659fdba862abdd1d2b1

SHA512
5cbfb7d30e660cd7341af4c9f0775585fd5f08fb0bad65e39673594027faa3ee28441be8f30ea543e19fa2d23e923b42a368e213a762fab482110d9eb0ee9175

Download Submit
C:\Windows\SysWOW64\Pofhbgmn.exe

Filesize
256KB

MD5
5c74615587e7058d3a34e67cf1c1f535

SHA1
83b64a2463c6aef64824a7779447c5c0c4b600d1

SHA256
687accaaa6ebd0ea7c8f5bd51e41710c3aea67892342c843a18b5fa1935fed3c

SHA512
e04128fa71eb5cfe556281ac23a9564835a79d3d4fe2f7ddf9582c34dad6d2dc57ff617757fe9b4a2a267e2fe036f767eb858165a5c0d39545da96a00ae0287f

Download Submit
memory/316-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-704-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-734-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-692-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-648-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-706-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-714-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-738-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-708-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-740-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-712-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-650-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-742-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-698-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-690-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-688-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-652-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-656-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-696-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-710-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-717-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-654-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-702-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-736-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5236-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads