berbew | 7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042

Analysis

max time kernel
98s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe
Size

337KB
MD5

f66e261f76163fa2f968bb45871f4f10
SHA1

ac9f2de1313582c3e6bbc3c969e4e1289e7fcde7
SHA256

7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042
SHA512

543faa2d60cdd608bdea74222b317618af1e9747be8eec70ea7e548bc4c16393119a8c80cbc4cfd6198be33a208e824ed58fa7c00c13d02f0802bf374d515480
SSDEEP

3072:tjZ8BfB3KgGw1bZ93HMHHgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:BZ8B53KgGw1bZZAH1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moipoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
5596	Mjlhgaqp.exe
3844	Mqfpckhm.exe
5384	Moipoh32.exe
4568	Mgphpe32.exe
4972	Mfchlbfd.exe
3600	Mqkiok32.exe
3340	Mfhbga32.exe
2396	Nopfpgip.exe
5832	Nnafno32.exe
876	Ncnofeof.exe
2504	Nmfcok32.exe
3972	Nglhld32.exe
5432	Nmipdk32.exe
4452	Ngndaccj.exe
1828	Nagiji32.exe
1588	Nfcabp32.exe
4968	Ocgbld32.exe
3800	Opnbae32.exe
5856	Ombcji32.exe
4252	Ofkgcobj.exe
4204	Ocohmc32.exe
4704	Ondljl32.exe
1764	Ohlqcagj.exe
3704	Pccahbmn.exe
4216	Pagbaglh.exe
1152	Pnkbkk32.exe
3096	Pffgom32.exe
3268	Palklf32.exe
3496	Phfcipoo.exe
4056	Pjdpelnc.exe
1048	Ppahmb32.exe
3500	Qmeigg32.exe
3784	Qfmmplad.exe
5676	Qacameaj.exe
2544	Qdaniq32.exe
1448	Afpjel32.exe
968	Aaenbd32.exe
3544	Afbgkl32.exe
6116	Aagkhd32.exe
2972	Adfgdpmi.exe
5656	Aokkahlo.exe
5804	Aajhndkb.exe
4720	Ahdpjn32.exe
1444	Amqhbe32.exe
1676	Ahfmpnql.exe
4924	Aopemh32.exe
4964	Apaadpng.exe
64	Bkgeainn.exe
868	Baannc32.exe
5932	Bgnffj32.exe
1204	Bacjdbch.exe
2464	Bhmbqm32.exe
1348	Bogkmgba.exe
5888	Bphgeo32.exe
4228	Bhpofl32.exe
536	Bahdob32.exe
5928	Bhblllfo.exe
4800	Bkphhgfc.exe
5452	Cpmapodj.exe
5900	Chdialdl.exe
1324	Cnaaib32.exe
5172	Ckebcg32.exe
3176	Cdmfllhn.exe
4336	Cocjiehd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mfchlbfd.exe	Mgphpe32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Nnafno32.exe	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Pbhafkok.dll	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Mfchlbfd.exe	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Dgegjnih.dll	Ombcji32.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ahfmpnql.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Dpiplm32.exe	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Hgncclck.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Nkgdfb32.dll	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Dkodcb32.dll	Mjlhgaqp.exe
File opened for modification	C:\Windows\SysWOW64\Ombcji32.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Qbkofn32.dll	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Mjlhgaqp.exe	7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Ondljl32.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Ngndaccj.exe	Nmipdk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Hilpobpd.dll	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Ondljl32.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Nmipdk32.exe	Nglhld32.exe
File created	C:\Windows\SysWOW64\Ombcji32.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Pjdpelnc.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Dbfpagon.dll	Afpjel32.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Ondljl32.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Nmfcok32.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Oglbla32.dll	Ocgbld32.exe
File opened for modification	C:\Windows\SysWOW64\Bacjdbch.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Difebl32.dll	Moipoh32.exe
File created	C:\Windows\SysWOW64\Ppahmb32.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Bhblllfo.exe	Bahdob32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5064	3740	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqfpckhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnofeof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlhgaqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgbld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqkiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nagiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjdpelnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ombcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll"	Ombcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqfpckhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll"	Nfcabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll"	Mqkiok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6012 wrote to memory of 5596	6012	7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe	82
PID 6012 wrote to memory of 5596	6012	7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe	82
PID 6012 wrote to memory of 5596	6012	7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe	82
PID 5596 wrote to memory of 3844	5596	Mjlhgaqp.exe	83
PID 5596 wrote to memory of 3844	5596	Mjlhgaqp.exe	83
PID 5596 wrote to memory of 3844	5596	Mjlhgaqp.exe	83
PID 3844 wrote to memory of 5384	3844	Mqfpckhm.exe	84
PID 3844 wrote to memory of 5384	3844	Mqfpckhm.exe	84
PID 3844 wrote to memory of 5384	3844	Mqfpckhm.exe	84
PID 5384 wrote to memory of 4568	5384	Moipoh32.exe	85
PID 5384 wrote to memory of 4568	5384	Moipoh32.exe	85
PID 5384 wrote to memory of 4568	5384	Moipoh32.exe	85
PID 4568 wrote to memory of 4972	4568	Mgphpe32.exe	86
PID 4568 wrote to memory of 4972	4568	Mgphpe32.exe	86
PID 4568 wrote to memory of 4972	4568	Mgphpe32.exe	86
PID 4972 wrote to memory of 3600	4972	Mfchlbfd.exe	87
PID 4972 wrote to memory of 3600	4972	Mfchlbfd.exe	87
PID 4972 wrote to memory of 3600	4972	Mfchlbfd.exe	87
PID 3600 wrote to memory of 3340	3600	Mqkiok32.exe	88
PID 3600 wrote to memory of 3340	3600	Mqkiok32.exe	88
PID 3600 wrote to memory of 3340	3600	Mqkiok32.exe	88
PID 3340 wrote to memory of 2396	3340	Mfhbga32.exe	89
PID 3340 wrote to memory of 2396	3340	Mfhbga32.exe	89
PID 3340 wrote to memory of 2396	3340	Mfhbga32.exe	89
PID 2396 wrote to memory of 5832	2396	Nopfpgip.exe	90
PID 2396 wrote to memory of 5832	2396	Nopfpgip.exe	90
PID 2396 wrote to memory of 5832	2396	Nopfpgip.exe	90
PID 5832 wrote to memory of 876	5832	Nnafno32.exe	91
PID 5832 wrote to memory of 876	5832	Nnafno32.exe	91
PID 5832 wrote to memory of 876	5832	Nnafno32.exe	91
PID 876 wrote to memory of 2504	876	Ncnofeof.exe	92
PID 876 wrote to memory of 2504	876	Ncnofeof.exe	92
PID 876 wrote to memory of 2504	876	Ncnofeof.exe	92
PID 2504 wrote to memory of 3972	2504	Nmfcok32.exe	93
PID 2504 wrote to memory of 3972	2504	Nmfcok32.exe	93
PID 2504 wrote to memory of 3972	2504	Nmfcok32.exe	93
PID 3972 wrote to memory of 5432	3972	Nglhld32.exe	94
PID 3972 wrote to memory of 5432	3972	Nglhld32.exe	94
PID 3972 wrote to memory of 5432	3972	Nglhld32.exe	94
PID 5432 wrote to memory of 4452	5432	Nmipdk32.exe	95
PID 5432 wrote to memory of 4452	5432	Nmipdk32.exe	95
PID 5432 wrote to memory of 4452	5432	Nmipdk32.exe	95
PID 4452 wrote to memory of 1828	4452	Ngndaccj.exe	96
PID 4452 wrote to memory of 1828	4452	Ngndaccj.exe	96
PID 4452 wrote to memory of 1828	4452	Ngndaccj.exe	96
PID 1828 wrote to memory of 1588	1828	Nagiji32.exe	97
PID 1828 wrote to memory of 1588	1828	Nagiji32.exe	97
PID 1828 wrote to memory of 1588	1828	Nagiji32.exe	97
PID 1588 wrote to memory of 4968	1588	Nfcabp32.exe	98
PID 1588 wrote to memory of 4968	1588	Nfcabp32.exe	98
PID 1588 wrote to memory of 4968	1588	Nfcabp32.exe	98
PID 4968 wrote to memory of 3800	4968	Ocgbld32.exe	99
PID 4968 wrote to memory of 3800	4968	Ocgbld32.exe	99
PID 4968 wrote to memory of 3800	4968	Ocgbld32.exe	99
PID 3800 wrote to memory of 5856	3800	Opnbae32.exe	100
PID 3800 wrote to memory of 5856	3800	Opnbae32.exe	100
PID 3800 wrote to memory of 5856	3800	Opnbae32.exe	100
PID 5856 wrote to memory of 4252	5856	Ombcji32.exe	101
PID 5856 wrote to memory of 4252	5856	Ombcji32.exe	101
PID 5856 wrote to memory of 4252	5856	Ombcji32.exe	101
PID 4252 wrote to memory of 4204	4252	Ofkgcobj.exe	102
PID 4252 wrote to memory of 4204	4252	Ofkgcobj.exe	102
PID 4252 wrote to memory of 4204	4252	Ofkgcobj.exe	102
PID 4204 wrote to memory of 4704	4204	Ocohmc32.exe	103

C:\Users\Admin\AppData\Local\Temp\7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe
"C:\Users\Admin\AppData\Local\Temp\7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6012
- C:\Windows\SysWOW64\Mjlhgaqp.exe
  C:\Windows\system32\Mjlhgaqp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5596
- - C:\Windows\SysWOW64\Mqfpckhm.exe
    C:\Windows\system32\Mqfpckhm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\Moipoh32.exe
      C:\Windows\system32\Moipoh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5384
    - - C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5832
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5432
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        68⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 224
        76⤵
        Program crash
        
        PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3740 -ip 3740
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
64KB

MD5
41f59e48fd4ee4592757233c6793e84d

SHA1
3e57b55e00be57bf87e02cbba68065538519bb09

SHA256
3954a599aa276291c69de74b5556db2cedf2db67c49eff0086232b28536cbe3c

SHA512
44f16347c658ebeefbec5c8976d7a545948be8d95065d2e4e5ecf5b3982a2ea973f81fc7e6f749290b592c0f5f4e89a440eb14e9d5bbd465194638573cb603bf

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
337KB

MD5
0051e21b4f80d79491d3be260b5ea946

SHA1
a793ac14ee1aded00d970faffea6a65c07a5fbcc

SHA256
dfb5efa98134b090cab76eae94806cea6cd037e2dfa7c66c6f55719639a34e2b

SHA512
3e6637560d175d1a4a3c74b3b0d45a9551d9cbb6852fa6ff6d4ba5ae1460c16aca50f413defb02f289b6011514fe0e99d09bc643dd42e251f5f7fe3f9a76d837

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
337KB

MD5
88c26b608af3d1375f851682bbec0a46

SHA1
f596a71317d0fb68122b3fa136af90e6036af0b8

SHA256
29e8c4433f586f3e6ff6de2d3d1a2191185fe5ce734d07ee124432bff34a7101

SHA512
2db1a813b45cf98d7d4836ff28554c3ac3a0292da574aa4eed83aa13d5c5b7514822d41644fe9816d8912e2dd2fdcb980dcb4bbda12a762659327d392517ab4e

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
337KB

MD5
e8510a52d444adf0bf8ac5a154e0ac01

SHA1
65dff9b3cb2c21b19d8ef48c6357e0dc327a8ea6

SHA256
8bd93d05c2eda8695cf5374bf257d14603e4c89cb4745efe7c5e0550591b0dae

SHA512
68d75e3ac0f341d56fcc44187ca06677c8c2f0db54f896d5b2865701368f24986983df7ad3830e4020d61e13cf0468a08ad69c6e66c6a9b3f81a5dba5d7420b0

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
337KB

MD5
b09fa8570262d812c6faf47cafd52087

SHA1
e4adc5f2dc7834215a063b5deb6f6bc408288a21

SHA256
f4cc8970a32cc3962f0fc68239b05c0475ff49d1c735ed32802a5afd4d179a46

SHA512
3741c5c94c19b58ad240b431c98db9f7d191922b7ccb9b2aa760a113653f3f9da514b43430c75be2a4f072bf53964a1ceadbc53d1b56a3490ac529ce97b4bea2

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
337KB

MD5
256c6e149ed603694298ea6901c0479b

SHA1
5d294b82d5655e441f9af17fa341e612e69186a8

SHA256
c8bdaa5e8d513a1a93710277abf3505dc692864e5658ed4e936e0283174248bb

SHA512
0eee549c3735e003a05758526c025427d619977653fe5aca94a70269e4778ce4ff389b372aa9fa811e1f4eecdd4bd3eb3fd5714b7dec5be43d8a1fdbbc4d97c8

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
337KB

MD5
22a3e44fd26716a866bc4aec9d388267

SHA1
0a7030dd8b532ca114402a9b2d511a3acc1c61d8

SHA256
ef3b5b4b186b5b60aeb10c7d48bb329c47bd8f49a6712c08244b213cf00e8f58

SHA512
0e40d169c336601f95d385277df0419143641d7a16b4b64d2e46ea83dfe1acfe3c2b5823e2fa4cd3656f11840cf37c1a83c352defa764cb6bdbb7c98e8495eb7

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
337KB

MD5
d0680413a60d45422613dbbe53fcb69e

SHA1
92440e4d15e518cd1b0709728640f77b9fd8aaf8

SHA256
3633f77e5cb9e1bb7b3374897a2ff029e861e66971d793eb737bc46eb840594e

SHA512
008d7b49f12f18f7d3554ed57d9ed0614d5b5e093b6b92afcda4828712f6247d81cf60259d0a91eb6e9c10fd0e7f14920fabc2f06fa33fde00d2443e478ddbbf

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
337KB

MD5
8761a9f9308ae46a3745a1f6632c3259

SHA1
bdc6a88d6a3a30004e4547dea46055604e2f7d13

SHA256
3fbefb756bbad07430d57b23475627392646ed36c60c2c83c9a806c22a617187

SHA512
8179577ee7feac4c296a0d1095e1004c23f63ec50927ac956d9cd379e4ba041ef1a7f6086d15a36543f4d9dfc02d41d69cff1473cf3ae5b0c886c339b21aa50d

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
337KB

MD5
206d4d6fa32027ee97725a225d72d21f

SHA1
d553b1b984e27143aae4cc385c966d72ac10729e

SHA256
963663765fd9b356318012e97c9753bb3ae581a54402a7415a1be885f79f42f0

SHA512
c408a0063ca12db9c9154f67d88b36c7a131643a8b46e46dc80a05a28c73675fc8b9d822f4d5ceaa15262c2c0754ffe47cd2c994f5f9cfd1c4b03f25cbc13cba

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
337KB

MD5
0a4a6634822f802bbabfe6c2b2376460

SHA1
c6ae78268a0a980b2aab96aff475539ab8e5c011

SHA256
95e478c54a75e3dede61f2e06cf234dcd4c087bd0dba5a557ec5f10e741502b8

SHA512
259c445b32c7e3680bdfb559c41fd9239f976552bbd068b4349e3b1ae6fecef0d120ec0d48b7a3f54c82e8948a474cd9dc3187475b738fc9ee5bdbd0bbd8403e

Download Submit
C:\Windows\SysWOW64\Mgphpe32.exe

Filesize
337KB

MD5
4e2e0b4a627a83f23ffd457528e447ad

SHA1
c0b848a975f2e3029576ac0818566eded5caa53d

SHA256
a7df5b6936b4ee979eb6d67fc1beaea6542171c71e89d55dd341262007b57dde

SHA512
ffdcc9c37eeb69bfc87dab0364dda69f660e831bd7c620babb2b1fc539f87a58d52893f5a48098ac4a96bb070e202b6180f6fba83cf09724e2aef97896b4f27b

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
337KB

MD5
17167627b0a14d3b151b148cc14265e3

SHA1
74e1aed9de49f3ef6462cc22537a1dcd2ecf1d32

SHA256
ea646d3a0662cff4147f052d46730ea5d78ea140d77f04b1050a702d9c3e4c1d

SHA512
0c6e3e4f41bb91456b931f9fedc4c42d4a12a108134421ead9b3879fde3efe4b34e36a9c29a10279fd89c4e2ebc4b78d83d160d4e4ce313037e7e6f7041f956b

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
337KB

MD5
6c42799115229d98f16176fd19ad5c6b

SHA1
b3f609c4e331dd1d4c8127bbd2c66970a0fcdc26

SHA256
7d489aabc888f80ffbee5fbf97359ec58429fdd06abc8645f0a1270c8bb40b7e

SHA512
72f3ea2d6aa9419d374a4bf545ba972a898699363bed8badd28e8c0aa6956b238129cb5d1c9ed9ee7a9e3236f1f14cc7ed4696890a3ba5a98cfe96610c9d0aba

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
337KB

MD5
9ed3f236d4330b7b1281b8456a1e0c2a

SHA1
52492da9e1acb708ed607c359b0592ac9418e926

SHA256
1b051c88c84ec31b6573054df55e69fa4257f20347ff03f0d6ddd3acf5bd62b9

SHA512
11698f58facb4124300e0ce787843ad48d306b61d7e03245c9f0ec711fdbbdbe09f89c797a5347f024cca5febe3deb2bfb07459642078c716945d4b3bb85232e

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
337KB

MD5
3992299262129e105ed74c98c2cfaafb

SHA1
764478ea7e09ad60613f198f2a24b9bc4ad59457

SHA256
f0a3dcfad4d6a271a3ce0826f54a05c220d1b6851cb70563c7c8e0fdaaf2b638

SHA512
c015bfc4af90548bad1892fc603257eceaf732c8755b75a6d0484c16303d794afc7e3608b9af2a6065a55886bd04ed74ae2e00ebc09fbac0040b9256ba5c80af

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
337KB

MD5
0510d6963eb1a2a706b4787917cc4cd8

SHA1
754a444cf6fa355094a4eae094644f5454914552

SHA256
b4b7c27bd30f28a1ae52f34ba511f6dd305999ee38a99a3de2b0cfa225d3b385

SHA512
b8964c9b710b7a08cb0a327e417954f09041b22173d0a978fcad104253561f772a9ec32b92c745915efd3cb01493f19b31542425c1f105c47437f9631e745c5d

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
337KB

MD5
c3f2f8315b011ed4d8d268e7d6dc5ba4

SHA1
1ff3379aa43e1c621d5d1c7ecfd2b5f1e5e1bf4d

SHA256
b5c5c1b9f94127a4600521a3b68b68aad5be60c21d48aaa445ce9eb04d87c419

SHA512
0d1c8f82c925eb1aca0a0cef68014dd8ce71c0f6ad575eaa84a8acba812ada87abc4c6acf83da37c24307f0ad2bd8f20bff22ef236b043f2a088c2633000fca9

Download Submit
C:\Windows\SysWOW64\Nfcabp32.exe

Filesize
337KB

MD5
7d23a6f6c3d3c0b3665c82dc23ff8b7c

SHA1
84de083ed16de6e2ec4e6ba0358e6c23884aa193

SHA256
be6f620dd8c09c2dde48a23cecd045eeb8947a24c6f78dda54059f06932a5b67

SHA512
3f2afc083bee1b51367fb349eae17204984563f3f7077ec1b29060e1e1ed8b8da89c61fd8f91b3060912ca79424a7612920f6b4a25bcf9351e47c82e2095985a

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
337KB

MD5
0734de3d53ccf33c654226360106a1ec

SHA1
64551af7413fd7bb0a8b58e440fcc38f7798705a

SHA256
81a9f7bbee32c4e1a970aa3b4401978d656d775c0f077dd6c75e66b4b62aa73d

SHA512
4825979f21c78344a9faa87b734476eee39442c4d08dfbc4c8c8b1065b073e85362c8fbec8f8038a64a67d692841521e96d8ce1a9d8ffa51ae4a1da7f669ec15

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
337KB

MD5
6b955b812187de63d0f5a28b6b91ff85

SHA1
c6463c932b56debda35ece70f52b3cd6742ec2e9

SHA256
012b885f50df3324e4f8a1202c7ff3117fec39147791aae065b66337258f23bc

SHA512
248d1458cc6a5929e613d5ffd7cf19524387befb155a71f158e10d746a09015fba0496fac610d2f5ca0d1191c7d47965f2e7f57609cf72e7249b4fc38dc95308

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
337KB

MD5
c780a763df7285f61c24f885cd78fafb

SHA1
8cbdc6ecb55266f8af6f61680684b66db2b373a2

SHA256
61a7bb3e7c0befa7efdfb409000010c488a4cf6a19ad1868595a4f8d6705d0e1

SHA512
36a5dac5b570955a871f569e34257cf3b7565c9735319a40eb8f378ae9bd6e22c2f2ead491935239bdbd75e134665eaefbcb6dfdf1d5d7895768fc4032303107

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
337KB

MD5
8b5f4945509fed5fcc5d71b73f3af98d

SHA1
270e4272ce561f4ddebeb3c4e9b9ef0b4a17b17a

SHA256
03d201375160555eddf5cb29f3697908f8dfb379b8c35c98b6471b9f0cc8abe5

SHA512
a4696c60b93b41d5e9e779b072cee6cbd75db3aa6286ff50fc20e4584074b346d068b8584a1c9efde50a7482a1e4c31ac2ba6f23dcfca15346c45853c254c8fe

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
337KB

MD5
c58a199c74cda58d35ffbe6bb45c8224

SHA1
225e0b4cb0bf58fdd7d053f45b904ae1d9654455

SHA256
6e27018333542da4252b1ffa3b786ea28858458917a6c9c3767017b07a2f42c4

SHA512
0dffbe3b7e354016ce2162e747827dd1eb174f06aa8ee27cc9b5ffb9180e2272aee9b0b121f258ed9339120b07a9f121127e2b9d1246349f9f97f8295eda6dd6

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
337KB

MD5
73b6eacc26e10a08caef11894d61354f

SHA1
70032da744bc72c90c3be6ce01cb057c651f2743

SHA256
62b700f48f0f883abcda336ab3ceb6fedac3c1a5cb3d805405a4c85e3065281d

SHA512
dfd8890849a253950845b0d142ad72fd4875a5e7196216e25d07e67cd3e925ac99e7d0c3de35b07a140efa40975d60c9ce1f8a1c0b8677b860286eed537e8772

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
337KB

MD5
a758f636ee28286ef5d07b706a97b4f2

SHA1
d75dddcbb55fb3f907bb1e4d9a4fa6915d128bfd

SHA256
4e6c139201eeafd13b0016c9b6e8cf8ed9b9fb9e2dbebfc33c74ddd0654af717

SHA512
e694b3bfe75879bf15a18eb6b31f508449074c336bf666a231407f181defe58a0d79ce74554680aa311c39fa8acec1fbd5ee2c1e9c5871bf2bee6d7c4a1a6653

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
337KB

MD5
f2628a12cf5e05798f9fa0e71280d45d

SHA1
ba7ea7d74e141d9a1030037130986f13ffc1d8da

SHA256
da35db2d827c688143e8a28515144261ebbd7eb88ad836437b66bd2cd48a55d5

SHA512
f950a38d7c58ff80de97a9a30488d183a75e70262ac518e07cc3d2b4486b0f4324b12c030f2a3f7ce37d1eb2d772f53099af6817832afe4655775e2ce314f0f4

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
337KB

MD5
73fafc1e1fc869786b9fbedb7d53da7b

SHA1
8aae88cee933319f0f1ae8832f6da1c28840c0f8

SHA256
505bd10f459bf6d30eafbbcbbe1339f25b858db30360c3eaa860c402f4fb0c31

SHA512
ba472e88207093bdf90e8168a55a2e1e0749b2baac832faac51b3a23d48dae6a580e7080aeb337457f7266e58c4379a16e25855d824716576e83156f345bd3e6

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
337KB

MD5
15d83dba4d7940962f5c6acffee5bba7

SHA1
522fdafa3bb914f587e2980405b82958274a2ebc

SHA256
26a32a4153f7a90f82e2df9630641a26fffbbb3f83f49a4f156ac250e691a056

SHA512
195ba99cb33d504f7c60ecf0be3337a755304dec8a41f7e044b9dc5c595922e129d20945cc522cb5c0918a1fbf27a0f6f77a1c0a30fc1b723da7990bec934655

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
337KB

MD5
655535b3d71017effe9607fb34198a7d

SHA1
e57dee9b015c9d70317fea77bf96e39030453dfb

SHA256
b173ee477c81cb8596651308d4f5d6627f32f9253e554546d33ecef1c60e387f

SHA512
c8b7298f5cacd4a1f5361f9f8520316934224c47ab222f8f916664e34f5005d0f6bada6c990440e84441f80af040c3a2a0ed47ae39adbee7e65c15ecaab19abf

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
337KB

MD5
70df211d9d9a1cbfdb3cbc6c599fc454

SHA1
89898925bcf9a8b5808681d74768faa06a39b64f

SHA256
dd9b27f743f0f8167ae9f35ad3215967aef26b2fae963b6513c7126af27a4a1f

SHA512
d2b052c58527718d292d94007b461c12ac00721e56951f9c8f80e8910fcc0b3b217fc8f335a39994796003e2b9601711b1088081b806ff16206f73b70a73e505

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
337KB

MD5
10a348b467de3ecce5ee7658b4304cdd

SHA1
ec0453f5d3789f4c11e07ce85ddc59c8bbee8308

SHA256
28a0fd579d64d6ecad2d3527ba7a59acaa8b63f5e31c1cb7a1329867172c4f8d

SHA512
eaf98dd64a40520a695b4261dbb0d88ebcab099e9faf07fb8883217adbcf2c7bac9644cfa32fe027926fdaffeedceeb36773d38a26fb825445138a59456d7be0

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
337KB

MD5
692b314b86f9eb79e332a3cf0eed1a72

SHA1
77f4df7c76f55b1f327fd379f1bb0306dcc9f84b

SHA256
c2e8de9cbd9ee74984dd473332bb7bf0f60873af152e8a8c3836b6d4c653d4e9

SHA512
08209c25dd21822f124eabcc31b5b0c8d3394a0335522bc2188c0ee7bc2df09acf806df5ace6a0d1814de61117e2559266cf08070a44b2a88497d73d1049a97c

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
337KB

MD5
5cb42038caa134dc50f3322478bc235d

SHA1
cc673e7de9044251f1843453889134597fe55e69

SHA256
4e02db7d4578de797fe3f64974f94a79dbf1f299f095339e23aa818d935c6a8d

SHA512
0ffc06475f0c9dc00cf97a5cc93b4aaae8dc061aee48e5f336fd01e4ad11c4102d514dd4ad2a94dcccec5b89774bbea0a57c737851fb7a41906a832906a0e0d0

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
337KB

MD5
d6f006b67ce3d08983a53230026092f5

SHA1
a1df099c2147acb061713b5bbb56bbd96e1fdab9

SHA256
cc298ca30513433978c8941ed7723a7af780ed20de27ced53b03119997c58a42

SHA512
bda1261fb6dccc62a93383fa798d104171e609c7ec70d8241ba34695591c277b03e0534aea7e67248d69b51f39cb3be0b8298ce58c45d41897c53870bd7f4f23

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
337KB

MD5
74fd5f9b4f512a7e00dfca8faa1bd9d1

SHA1
86267f245fefc85fad488b5c41e08ce11f9b70db

SHA256
7cc4d2c1cbae935481e7c3d12ed46a00e049beace943113993be2889f8816473

SHA512
d6b926395194501b77ff80169e9d7631423e65e86df5c3f3028bb4634ff37c049a0de5508770d2a3f1b98d260f9c4e53714d28123a67912665317de05b453efe

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
337KB

MD5
c44f66393a15739b17f947542b714f75

SHA1
eef52493a415e9bdffd403b42434820c0d8d2425

SHA256
b93baa5a2c86fcf9ce81960133273ed93881185b3941260d16af3d9f3b758688

SHA512
d0bf25530addb87963eb2b41c05ad6a32c69a9bba18a500068cad08f95f3d734cba15992f8fc19b1e1aa6cd8d4278bfbcbcada4c691b87606cf12460eeb3e506

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
337KB

MD5
8becf2782390064858f76018d9a399ca

SHA1
33652e7e15be94d09344a62d16b5f632b9cdd609

SHA256
320500ae9c1cc0f4b66c591f25a72481ef17d2cdab332b55e71a879911093912

SHA512
0a6f8c212c0233983c65c145463c7a1e7efc99a5af0fdecf7edc659083f77c64f07e44f30e8ee5cd983212bec958014ac2145e707eb4fc5e5e050fc013d2a35e

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
337KB

MD5
3180fd67942a4a0575d2054e8e466ebd

SHA1
5ff55bf7a471d60470f56ad6a59e92f9185d01e2

SHA256
8c06242d621f9faef8f9e41a4ce5beaf879550fce997fd67b0fa13624f222d26

SHA512
86d9bd5bbcaa50760c2cd8c2013c7571c690373943ae852ab18e1d4f4b46c332ed40c73d80af85485b69e2a58f1a187c20d2b79495a4e7be04ecc1787520d936

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
337KB

MD5
809a1455a8df305f1bef8256d65c3436

SHA1
f976c7111788fecf3839c5e8b131f70467638790

SHA256
d68930fa526368df3a27635fb36ce1d1a1c32e775063055ac51b201f91b519a0

SHA512
84f904535983bcecdc5c07e2fa400bda8de2373233f69d1c8a4a4255a334d825edb481097bdc734e55802b7840327af245a44444fbdb65fa2848e488c17c0485

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
337KB

MD5
c85432a921f45ed4d7e32ebe2d6e8f01

SHA1
2fba8ee6504d4b65e49e5b4a7fdc9d96666518df

SHA256
d1c264b1ec4f9143095efcd8db809b523b02e2327e54ee6142209e6cd3080199

SHA512
b30d059e608800195b9c82acc692179fac339d41ffe70d6f4abdf8d789a46a5e346f221c9f504f07d681a8f06f82ba36bddea9e2f21822411b80942b3c71157c

Download Submit
memory/64-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5384-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5432-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5596-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5676-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5804-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5832-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5856-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5900-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5900-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5932-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6012-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/6012-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6116-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads