berbew | feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
Size

276KB
MD5

ea3ea5ec636bce993e41989ba5d737f0
SHA1

02afaf172addacde5b668af27fd027b5c4b5133b
SHA256

feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56
SHA512

f2c04b2068e10008f91b0270da508860eee7e9c6d3f0dabe6f3760b9d60704b20ea8f1123c45bc0cd95feccec9954ee2edc8358b8a9d1b047e216030b5a57f15
SSDEEP

6144:PqX7MKsnRByfa/iROdWZHEFJ7aWN1rtMsQBOSGaF+:CX7IyS2HEGWN1RMs1S7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Halaloif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnfooe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgcmbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilmedf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igmoih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Memalfcb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3612	Gdknpp32.exe
2016	Gbpnjdkg.exe
1312	Gnfooe32.exe
4832	Hgocgjgk.exe
752	Hqghqpnl.exe
1712	Hjolie32.exe
2772	Hgcmbj32.exe
3452	Halaloif.exe
3260	Hnpaec32.exe
4568	Hejjanpm.exe
3124	Ilfodgeg.exe
3364	Igmoih32.exe
4624	Ieqpbm32.exe
5104	Ibdplaho.exe
3544	Ilmedf32.exe
704	Iloajfml.exe
3180	Jbijgp32.exe
3752	Jaljbmkd.exe
3448	Jldkeeig.exe
2528	Jlfhke32.exe
1212	Jlidpe32.exe
4944	Jddiegbm.exe
1844	Kdhbpf32.exe
4280	Klbgfc32.exe
4340	Kocphojh.exe
2888	Klgqabib.exe
4968	Leoejh32.exe
2556	Laffpi32.exe
3248	Lknjhokg.exe
380	Lhbkac32.exe
3972	Lhdggb32.exe
2984	Lehhqg32.exe
2488	Mdnebc32.exe
1960	Memalfcb.exe
1444	Madbagif.exe
556	Mklfjm32.exe
3956	Mddkbbfg.exe
2952	Mojopk32.exe
3776	Nhbciqln.exe
2860	Nomlek32.exe
1908	Nheqnpjk.exe
4908	Ncjdki32.exe
4352	Ndlacapp.exe
3412	Napameoi.exe
3720	Nhjjip32.exe
3236	Nkhfek32.exe
4936	Nhlfoodc.exe
3332	Ncaklhdi.exe
5040	Nbdkhe32.exe
4612	Oljoen32.exe
1264	Ohqpjo32.exe
3632	Odgqopeb.exe
3540	Odjmdocp.exe
4312	Omaeem32.exe
3584	Ocknbglo.exe
3636	Odljjo32.exe
2980	Omcbkl32.exe
1564	Oflfdbip.exe
1556	Pofhbgmn.exe
3280	Pecpknke.exe
3068	Pkmhgh32.exe
4376	Pfbmdabh.exe
1104	Pmmeak32.exe
1856	Pcfmneaa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nhjjip32.exe	Napameoi.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Pmmfoj32.dll	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
File created	C:\Windows\SysWOW64\Fljloomi.dll	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Pakfglam.dll	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Leoejh32.exe
File created	C:\Windows\SysWOW64\Mbdpdane.dll	Lhdggb32.exe
File created	C:\Windows\SysWOW64\Iloajfml.exe	Ilmedf32.exe
File created	C:\Windows\SysWOW64\Mojopk32.exe	Mddkbbfg.exe
File opened for modification	C:\Windows\SysWOW64\Odgqopeb.exe	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Mpaflkim.dll	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Ilmedf32.exe	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Kpmmhc32.dll	Oljoen32.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Afgfhaab.dll	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Cifiamoa.dll	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Nnmmnbnl.dll	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Odljjo32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbpf32.exe	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Odgqopeb.exe	Ohqpjo32.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Iloajfml.exe	Ilmedf32.exe
File created	C:\Windows\SysWOW64\Dhfhohgp.dll	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Acppddig.exe
File created	C:\Windows\SysWOW64\Hgcmbj32.exe	Hjolie32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Laffpi32.exe
File created	C:\Windows\SysWOW64\Gnfooe32.exe	Gbpnjdkg.exe
File created	C:\Windows\SysWOW64\Mdnebc32.exe	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mddkbbfg.exe
File opened for modification	C:\Windows\SysWOW64\Nhlfoodc.exe	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Gbpnjdkg.exe	Gdknpp32.exe
File opened for modification	C:\Windows\SysWOW64\Gnfooe32.exe	Gbpnjdkg.exe
File opened for modification	C:\Windows\SysWOW64\Qfjcep32.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Jlidpe32.exe	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Kjekja32.dll	Gnfooe32.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Iloajfml.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Jaljbmkd.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Leoejh32.exe
File created	C:\Windows\SysWOW64\Ohqpjo32.exe	Oljoen32.exe
File opened for modification	C:\Windows\SysWOW64\Pecpknke.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Pkmhgh32.exe
File opened for modification	C:\Windows\SysWOW64\Gdknpp32.exe	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
File created	C:\Windows\SysWOW64\Ghikqj32.dll	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Lehhqg32.exe	Lhdggb32.exe
File opened for modification	C:\Windows\SysWOW64\Nomlek32.exe	Nhbciqln.exe
File created	C:\Windows\SysWOW64\Eknanh32.dll	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hgocgjgk.exe
File opened for modification	C:\Windows\SysWOW64\Jaljbmkd.exe	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Nhbciqln.exe	Mojopk32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjolie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdknpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halaloif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnpaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgocgjgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memalfcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmoih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchhih32.dll"	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oljoen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonchmn.dll"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codncb32.dll"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Leoejh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcgfpia.dll"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjekja32.dll"	Gnfooe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omaeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Halaloif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiigchm.dll"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmfoj32.dll"	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpdane.dll"	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdghfg32.dll"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Napameoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnpaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Memalfcb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 3612	3276	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe	89
PID 3276 wrote to memory of 3612	3276	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe	89
PID 3276 wrote to memory of 3612	3276	feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe	89
PID 3612 wrote to memory of 2016	3612	Gdknpp32.exe	90
PID 3612 wrote to memory of 2016	3612	Gdknpp32.exe	90
PID 3612 wrote to memory of 2016	3612	Gdknpp32.exe	90
PID 2016 wrote to memory of 1312	2016	Gbpnjdkg.exe	91
PID 2016 wrote to memory of 1312	2016	Gbpnjdkg.exe	91
PID 2016 wrote to memory of 1312	2016	Gbpnjdkg.exe	91
PID 1312 wrote to memory of 4832	1312	Gnfooe32.exe	92
PID 1312 wrote to memory of 4832	1312	Gnfooe32.exe	92
PID 1312 wrote to memory of 4832	1312	Gnfooe32.exe	92
PID 4832 wrote to memory of 752	4832	Hgocgjgk.exe	93
PID 4832 wrote to memory of 752	4832	Hgocgjgk.exe	93
PID 4832 wrote to memory of 752	4832	Hgocgjgk.exe	93
PID 752 wrote to memory of 1712	752	Hqghqpnl.exe	94
PID 752 wrote to memory of 1712	752	Hqghqpnl.exe	94
PID 752 wrote to memory of 1712	752	Hqghqpnl.exe	94
PID 1712 wrote to memory of 2772	1712	Hjolie32.exe	95
PID 1712 wrote to memory of 2772	1712	Hjolie32.exe	95
PID 1712 wrote to memory of 2772	1712	Hjolie32.exe	95
PID 2772 wrote to memory of 3452	2772	Hgcmbj32.exe	96
PID 2772 wrote to memory of 3452	2772	Hgcmbj32.exe	96
PID 2772 wrote to memory of 3452	2772	Hgcmbj32.exe	96
PID 3452 wrote to memory of 3260	3452	Halaloif.exe	97
PID 3452 wrote to memory of 3260	3452	Halaloif.exe	97
PID 3452 wrote to memory of 3260	3452	Halaloif.exe	97
PID 3260 wrote to memory of 4568	3260	Hnpaec32.exe	98
PID 3260 wrote to memory of 4568	3260	Hnpaec32.exe	98
PID 3260 wrote to memory of 4568	3260	Hnpaec32.exe	98
PID 4568 wrote to memory of 3124	4568	Hejjanpm.exe	99
PID 4568 wrote to memory of 3124	4568	Hejjanpm.exe	99
PID 4568 wrote to memory of 3124	4568	Hejjanpm.exe	99
PID 3124 wrote to memory of 3364	3124	Ilfodgeg.exe	100
PID 3124 wrote to memory of 3364	3124	Ilfodgeg.exe	100
PID 3124 wrote to memory of 3364	3124	Ilfodgeg.exe	100
PID 3364 wrote to memory of 4624	3364	Igmoih32.exe	101
PID 3364 wrote to memory of 4624	3364	Igmoih32.exe	101
PID 3364 wrote to memory of 4624	3364	Igmoih32.exe	101
PID 4624 wrote to memory of 5104	4624	Ieqpbm32.exe	102
PID 4624 wrote to memory of 5104	4624	Ieqpbm32.exe	102
PID 4624 wrote to memory of 5104	4624	Ieqpbm32.exe	102
PID 5104 wrote to memory of 3544	5104	Ibdplaho.exe	103
PID 5104 wrote to memory of 3544	5104	Ibdplaho.exe	103
PID 5104 wrote to memory of 3544	5104	Ibdplaho.exe	103
PID 3544 wrote to memory of 704	3544	Ilmedf32.exe	104
PID 3544 wrote to memory of 704	3544	Ilmedf32.exe	104
PID 3544 wrote to memory of 704	3544	Ilmedf32.exe	104
PID 704 wrote to memory of 3180	704	Iloajfml.exe	105
PID 704 wrote to memory of 3180	704	Iloajfml.exe	105
PID 704 wrote to memory of 3180	704	Iloajfml.exe	105
PID 3180 wrote to memory of 3752	3180	Jbijgp32.exe	106
PID 3180 wrote to memory of 3752	3180	Jbijgp32.exe	106
PID 3180 wrote to memory of 3752	3180	Jbijgp32.exe	106
PID 3752 wrote to memory of 3448	3752	Jaljbmkd.exe	107
PID 3752 wrote to memory of 3448	3752	Jaljbmkd.exe	107
PID 3752 wrote to memory of 3448	3752	Jaljbmkd.exe	107
PID 3448 wrote to memory of 2528	3448	Jldkeeig.exe	108
PID 3448 wrote to memory of 2528	3448	Jldkeeig.exe	108
PID 3448 wrote to memory of 2528	3448	Jldkeeig.exe	108
PID 2528 wrote to memory of 1212	2528	Jlfhke32.exe	109
PID 2528 wrote to memory of 1212	2528	Jlfhke32.exe	109
PID 2528 wrote to memory of 1212	2528	Jlfhke32.exe	109
PID 1212 wrote to memory of 4944	1212	Jlidpe32.exe	110

C:\Users\Admin\AppData\Local\Temp\feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe
"C:\Users\Admin\AppData\Local\Temp\feea3e519a14cd6f7c3c07aec2f34f9cda63a72db78896d5fb6d9080a356dc56N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\Gdknpp32.exe
  C:\Windows\system32\Gdknpp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\Gbpnjdkg.exe
    C:\Windows\system32\Gbpnjdkg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\Gnfooe32.exe
      C:\Windows\system32\Gnfooe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:8
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
276KB

MD5
da0bc35b345964eafa7a9e2feccd16fd

SHA1
211f0d982b150eb2bcb62386052940676615eac6

SHA256
ab54f48a6bc5f67a2ade150ac483adc43afb9990dc28738d8139c2a6f601e2e2

SHA512
216559998ec663ce3ae43769ee5bd960fc3b1da6967cf73b679dc89211ec02b1fb922fb69f93e2dc14fd5fb851ebb79d372562f1b9d97a3adb3133f95710c24e

Download Submit
C:\Windows\SysWOW64\Gdknpp32.exe

Filesize
276KB

MD5
804bc903015567f5c98ccd0ba1e0ed81

SHA1
f423270878ecf5d05f41c9b0d27f02110387ac22

SHA256
882be4138d59c305a64baac7b2fd98313d7da4367dabb62f5cdbfb5353d53f68

SHA512
c676c2321362b38288a977df4145bfa1cf0e2696804db4e0ae318911af2cbb0b57ea225c81d86df15d7adf826d74a628e47af0c668965889fabb0f1d49d554b7

Download Submit
C:\Windows\SysWOW64\Gnfooe32.exe

Filesize
276KB

MD5
2278707bf031a17fdffb68a6c9b01618

SHA1
ba304e6075e50f07997297adac13e61fa611f821

SHA256
c923639a4e3a6d5cd6d25c9930da7ce87b7032c34be67ec46627f2496b308e46

SHA512
e8101abbfeb43fac6e5005de3a5684495c7d60c51d530bc638360bd0e81617d65be1c2854e14147cc3954a619737aa1543dc159b2a7e5f169cfccbfa35d5118d

Download Submit
C:\Windows\SysWOW64\Halaloif.exe

Filesize
276KB

MD5
307db668d2e7604c1d642c24f7b6b737

SHA1
f672f5b9ab5099f4e75f11d44cd2858e64c979b0

SHA256
17b8a84b10740d080a42fb57a8ca00498eb7af3356725664a014051bef91d102

SHA512
8feebff82bb3e6dde250a72f293ccf24045233a0b898ccb4c2cb3c41e30ce362a31d085ea55a99735820aeab23e3b392f7a7464e3ba6fd5cecae8eb7c884d0e7

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
276KB

MD5
d5607dbc2a53a6d20ea1e3b07953da76

SHA1
6208dc92baac108e003b219b85982dd21ccee7c9

SHA256
40552015a01011a54a81433feaaec72a531c79a3ecb861c0e0b449338faa752c

SHA512
ee7cc06788893e2b47ecb72c5067f27e58b68fd9eb6143ca19743a2e7141d0229b89f72048a9612ef4211b18ae010e744626858723528dfd20c7af5932d2535b

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
276KB

MD5
7826c920f6537a26d483c54b86db66f4

SHA1
e2d0faff97ea10eb7fbced5295e6aadd3a09f9da

SHA256
38ad61a9141eb79a9fe2a72333b8627d5e481f828eaebe3a1ac67ed615c75849

SHA512
90a33fcc41e9dfd2bbc5a9e6e70f758e069fd90559eba0241ceb00e9ad852b08cf0117699cabe48c05cb1417e7fd30d6b527f5e48e9ae1da7984c522f0107dbd

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
276KB

MD5
e4ccea2411c03ce89f81a339dedec263

SHA1
ce139fdf78e40f21ceac7f082e19f5b667aa2024

SHA256
c970cf77ee14670cc52eed7613991d573124088ec87560970cacc697c8e5be1a

SHA512
0bd770c97d91f1bf1692969c0b6c1d50c4c2acdc4421ea8986fd32184a1abcc84e09b955bed028dfb207b9975394dc0143c4a3589294c2ccfed830068a8270e9

Download Submit
C:\Windows\SysWOW64\Hjolie32.exe

Filesize
276KB

MD5
c200ac45b30718d5f427924e4b57d5d6

SHA1
a5ba7f882349fdd59c9307dbca069b4104aa0848

SHA256
efd55c9ba44d92f86c9e61d69cab28ec97bddda0e6d3cc65144b3f20af810acb

SHA512
2ef9c5a2b5862c7f797c9c5f8c621bd8aeebe13f71e580a9dc546e50ebca126085e05ed6add3508c7a2f2b6477c3cc140feb999242fbc512c68885f07df7fe59

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
276KB

MD5
195b46b98e87fde373cbaf085cc65621

SHA1
78534f5db708e98c2c916f244bd0ad0515d7ba42

SHA256
82b52a7496fda4dcf430557d9a42098f48947880961cf6c66a57ddcb3d31132e

SHA512
1ac5310f8710773eab928c77be8772c08f8773b14ef15fac63bc3cb17d85da672f9605264d93c0fae7e636822356a5a532d48d5d8d8c236526b6a29085857355

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
276KB

MD5
ca560eb2a7c63346a4b68fcb871f24e1

SHA1
122351adddfbd342aba7d41e46752577c0c3a62b

SHA256
e2dc040cabb28afca33511be48ea855d9221295a541d60e9c7fc9106ef4bc6de

SHA512
6f145ef64908d358cd94ee204fecd828e7d7402ffc704ab9c8ad8e51ff40ba69e365b149d31df87ad2a1787b896f1edf3af99d0fd0dec71bb3984ffaca0f6e36

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
276KB

MD5
06b7ae4c063bed7f2e95ef90f835d090

SHA1
71198984676361512bc907ee3310707dfbb86e93

SHA256
e8573e0437f727e4e962084ff26e2856ad3534a02951e1130bf876176d85a282

SHA512
4820a461cabbdc96755067ff84267f1036de0c619d6cd8c430bc810313e56632aaab9f17f6c0322a5e006bae122836726fcdf4b43fc1094a231d0c59c7efb7a2

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
276KB

MD5
026ee2bb0ff95c00b88be59560922164

SHA1
668632760a46c98b9367e803d7a10cf7d1039121

SHA256
4de8b4ee546d9f48919341245d684b1e58ce89259d7ad48ccad9bea2e2fbd4b9

SHA512
571325a2cecc585ee9fd8ca750ab28627c7d78bf9765c419ece4d075a524a35121e6b041b7bbd559c470c8ab742b568ef07b9df57da1db07c1f706449c41e326

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
276KB

MD5
cbf8992afddc1813a92be12bc7380fe2

SHA1
44eb5d0639b48a6ddb6e54f676df0f73a224d119

SHA256
1e36c66d2c4cbc1f445e38f3e9a7033df68bcfd2258efb43d63abcba2f075ec1

SHA512
fcf2ea47f50bbdafa3aa3d0be1387a3f59ffb9c8c0747fcaf758f3bb8986542f3dd458be66a8f81cabd84706ad4b4a330c5a471ae8b6b2c994dc6199769817ae

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
276KB

MD5
9b76d80c0907f9d9fb2c302b3971861b

SHA1
c690f514c8fcb20ace911bb3998edaa4df7f1312

SHA256
771176e3180d7159c92553fcbb401bf9c23daf98d2c0f1b3ac58d87ea85c06ba

SHA512
1b013b52c2a1c269c9cc3930888743a7144e96389779ca549733fe6f2a3997ed348cc2b19c47cc0c09530efdcfb6c5ba8d77e02207d2047129c63046b60ab071

Download Submit
C:\Windows\SysWOW64\Ilmedf32.exe

Filesize
276KB

MD5
9fcbc4c9c00d30b4e8dd609ffc342c30

SHA1
e4f108bf78e740a329b246309796e96932919bd9

SHA256
4d30e7b74bf94c08e2ffbfa683a12b5dc9c50c8db8a41b246285924ae2e59cde

SHA512
d68bb8c5f895ed60bba7908271823ec8b734b21b1dc0a17184623c0c13d55b5a393853fcf8e8ffa3b2879cf6fc3632e87e4b8b8832478c055341d8267073e017

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
276KB

MD5
013906e2c5328792213df51cea4eb1e7

SHA1
bd7b85446f89747ca95a3675d107c588d677058b

SHA256
b0f330f8894fa125adeb546ae09897fb2a27fa9560f9cf13ac325a6589d3dc14

SHA512
df403399c871091871ea6a4059bee2e595e6fa121348a8af8c36ddb9f683eceb40d3906ded68c7940384d5cf62bbe0904f534117588ca1a9238dfbfcc25b20b9

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
276KB

MD5
438daf3df25a764f199c54548a87d047

SHA1
a5fed9583122701aedb8989c501550dc470fc5a3

SHA256
7998e9e7a6e123cfa2784d5206b9f41a30517a25dd16c6df216d06e90ebbabf3

SHA512
79e5f5a59c92c77fea044769d0890c5eaa6d7e54fd530815f8a6b6aef215ac028edbe8669143a5a0ac216c0e5ff892a989545a46950edd72f1480680d317216a

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
276KB

MD5
ce1058afd3dbdb5fbd651dd996bcaebc

SHA1
b46975b14114facd54625b079b844ad29e20a8db

SHA256
b2355d60de2350075b721c9442a124bb85831a3850c122ac5dc20192bbcbf7a5

SHA512
1bc436a8748215ea56536921b88d046e356bdb665afa25c791abbedb1e040f10d430efcd869ae137fa94d83a1635197f2435cd49b31a0758b8d655edc34083d9

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
276KB

MD5
fe65502d6a74f96a20df447cfe77eb44

SHA1
f165220cbb077d836b8aedb8dd90499a236f3a64

SHA256
aa9dfe492302b15f5b8bebb028e8432914aed290b37e5f3b2d88c56cc43f66f1

SHA512
0d058efe8a8920492b0c79fdf501bd4c506cd5752ad3cdf01b339e700b1739d09a01627df0fa4842e6a06e67aca3fabd9f429daae8832fa02a1001d4e461a9d5

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
276KB

MD5
99968ef2d3679b1c24ae12256f48584e

SHA1
b9e86b2c70cbec68be9556bfe1d9f95346a1f104

SHA256
04f5c115bb013a1319d07ebe2d007a0845e9623ad923c4e10bb3b91f07c2a145

SHA512
1a02b0e2f3bbb743deff464af634c7a0472cfdd930176b6afa1b341bb7097ccef18fce620798a99cb23ce613a2721b7fd5e939838d4134f8d383c36eb52b7ce6

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
276KB

MD5
af839cf5f1448760b21147a58804dfc2

SHA1
741f5f808ceb34552ecc5619acef05fb4021f0ad

SHA256
c4e1d5ca54156ca0a67f10220ed0f45aab3f8427057dde40aca7e98922b1e0a1

SHA512
db1c8a14456a627c53f5000fa3ea27311ba0184fc2abdae125e8cd3263e7b65ce52fc66892ea05e2b8db2269b377701be19d75472d15573d31567ab533aad714

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
276KB

MD5
f6b01cf0b9bc796640a1036c66bf7bbc

SHA1
f5046631475404a4bc260f04c9fc36926140fdf3

SHA256
5a89ab2da4cdbd7983d517b3d5dc912237cb123bc0982371a0ac2250d55c4627

SHA512
e3f4265e85fa43d2d8e743557257db6aba994ef04dbba3c09ffbf6a9668a13bf4a27b8bc9dc7ebd12ee32c5f9271669a855fe8918b1624bdc3fddbe2c2e924c2

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
276KB

MD5
89d29c3b9f80dbe5e2f999aaff2ba9a0

SHA1
27a88468368c6f8820d8f39d1896317e0fd3df5d

SHA256
afa020e34721553586fa76969adbfbf59594fd67fc84867979ffa7c5cdd08ff2

SHA512
59177e20c016230ca590c7a4b8beb0eee4aee899cc7b1ad4753b0155ee59b7b00618d59ef1bdeb3179a0a0844b53e69ffc038d5a83991c880d6f6944bbb8cd84

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
276KB

MD5
24dcc1b2d19b5898d2b85d1314ebacb3

SHA1
fc830bfa6bfa244fa1ea6de000af1ca18549dbdb

SHA256
a42f77b955e6b28d2c4f44833c9cf83aad3acb5872906491ec2ec8b094d92bd2

SHA512
4039594ab2f3ba9fe5f6c31391a9f52d322cc7155119e79a3cbb029cfe6f89f0f6c6f2e276b067c4695db036263a228c8cd76e5438f9db2d52675f18bba5c64a

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
276KB

MD5
34b8e1acf677b7294aa60a77282f4443

SHA1
117f477d2e3292f2ba0a18dccd8e0e22be140f30

SHA256
507c0d463112522575435dea36006a162b9320628d14e9aa1da8db85ae786ff8

SHA512
bbf33200e3d95bec0b1f3be63ea2b256c237e4560afd12cc210f95a8f0a14522c8327dbdb04afac9e4b78b355fbc52601898cb55b02e0f12f90b29aa913b1cb1

Download Submit
C:\Windows\SysWOW64\Kocphojh.exe

Filesize
276KB

MD5
d0251d1e25820154383f8b00152d3363

SHA1
fe80c8ea41f6456fdd10b302e7b7f9e81143fbda

SHA256
fc95cfb690f45987378538b2b53dc1418f0f110593f1a3203af69fa73854949c

SHA512
20aa8807fc913d43dd887c1a7db989e7a4778f51b47ebca0197a0c90cb7707b97393342ef7ec760213caf202ff3fa85017bbdc5c29cf63693ce8202d07f48a8c

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
276KB

MD5
f8d62db1a5adf54a77e4f8a4c80ea885

SHA1
747635e36007630b957a96443a93e4e9d3722983

SHA256
7ca6ffa52578285d86e6103b1037bd4c2c79d5a02b5879e395b1d44c3e4bf337

SHA512
120761c47b3ab68b8e58c7a7f00cb4b8f9a4058e0bdd59dd5dfe9347f77b40d3c7e2075d4f22e93911abcae5a1f6044c010bbaeb90fac9ea7939c81616ac9ac6

Download Submit
C:\Windows\SysWOW64\Lapmnano.dll

Filesize
7KB

MD5
1c8c5265a745198b76c9d4fe29319d19

SHA1
85a5e5dfebbdc965ed1efdec262a396ab200688d

SHA256
f991c304ef1b89816e38347fd2be7fa8cbe5c34aa1911ced7ad591b9b61119e3

SHA512
6ce48fff7de81cb9852b27aa7f28cf8a63ab2c5e5e0387a5af7e502e1ceea54eed91083f23a761988972a76c0fc090f43f033fb5184f09281fc593a49f14d43d

Download Submit
C:\Windows\SysWOW64\Lehhqg32.exe

Filesize
276KB

MD5
e81ad4a37821c7e64bed1aab01ed20cd

SHA1
339098385732eba1a9afd7184bac09c08b550c1b

SHA256
bc39edd2f5b8e0f1982dc728a6ede6cdb6aecf490284e05c94b8b5648d29a9c9

SHA512
58eadd962c05a8f91ec6bb82fcefbb8f45909a762f16bab8d1ddc16f07fe04a36aa83331482647dd4da1f184f61c258afa9271e7b65056d5721ae7f5fd1b83e9

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
276KB

MD5
d9900ede96b46386ef11d19898ce2211

SHA1
c53153a354ee155c7a01068c8d5590550d680a5d

SHA256
e44b008ebbee4ae8b5f5fcf9bd2f52136c5175aa558272176c9b759e56703b9a

SHA512
3645d5057d0c70c06878ebf54ddebf945af8cd9fca88be4fba58eb5e1227e8773106cf8e29a381023006d9076f59eb6cd3accd42745cacd4ca72569336fef929

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
276KB

MD5
9ecc8de3c64b84dd3a729118cfd2217a

SHA1
327130b92c1cd6f7b482d4eeee4422e5ab0e6722

SHA256
f1b2ba57b0ae3ee67e00956ed3e1e25d51312d47141c1f9687a1e6d3e677dacb

SHA512
ccce0365ff2a1289e1b729f028e7a9df5dfc80060038bd8985d7dbde6f7633b92762f3036d3bccc1e83d34f7b2d7a6f84ffedbd2262d38f8838f12cac20ba634

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
276KB

MD5
18cc277443cc61e3fd1f8a992d3fdbb4

SHA1
cbb9db9c7b64efc0e3e419ca8ad0c410aa4bbaf3

SHA256
d52792077eb6510f620adee5b72879db8737d1c05d6f55220cdc250104f6116a

SHA512
e6b5fff3c9489e8aaf651ed7207474ba7fb0ecdd38cc77dae120f9af76c93ecb9d21889644e9a2786138c2ed07b12ae728d21249868ff80561cce4afe9fd56bc

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
276KB

MD5
06ef0c109c6765b5ca6a91bda5c83c69

SHA1
2e97574aff03ca9685bdf3db916ab2d30ecf41c8

SHA256
439a3d14466798e7fa71b46142b2d7150a20f3c46f2639dd976f1aac775dfcac

SHA512
463648314c700e44cf3255dd87bb55ec0f129fe67cfacdd522b8bee160eeb1d20ba73312c9a01576c02c2443ec487335e815012a8f84e50a1d9e8c28b207fac0

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
256KB

MD5
3a1d02c627136d0ab7393d96756bca73

SHA1
3a7340066c72f0f21eb668566ccdfd503bde9434

SHA256
aef026d0de203ee1b4e9780e25fbd95156ac5f6c05b5ba6b1e74e2a80961ac09

SHA512
98407a97c4a71a4fad83ac5eec21e0330f7d159dbb6bddf47c35157a56eaa9a375cc2edd2c81ae5f6e4850d4025b745467aaafa32d7d066dfc46349d86835a17

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
276KB

MD5
322a97b74aafe4582ee45b0b9783b822

SHA1
01eda2932e48c2db71ed611d695a6f99663dd2c2

SHA256
d93a974967df5d6f759ca2d229dc5cf6abf839b43ad96e7f56befb742d8bfe13

SHA512
2c91e10391aba9f8e14015e1998f0ffdca96da901946adebbb04347839ef5a2b688204972c69743ee46081203fb3e88d0f41eb11f674f901eefa3e3559b3b6e8

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
276KB

MD5
559ef95e6fc9af430a7e3c37355db53f

SHA1
0d4e3e2312182eb931d314f0f109921328356c15

SHA256
621712dd363bd6d1801e37ce48a85e2304f2bb962b853609b47599366b3faf94

SHA512
fba77a7453633a3452e8a1fd54722659bbb4e89d7e60844485e160fa399d197dd7444441eac38619692a93b1794ee032b84881d9137a88c10d2fa92e5044d5b5

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
276KB

MD5
e92e69fd678c867626ce107423dd6c21

SHA1
726e22692057d001fcd4fb7e103cf065069670e5

SHA256
8f86458983e1da74b86c875d54d9de90db59fad2f434dd64538b516d5632c30b

SHA512
70b90e4c3b9e19f23b92411cc6b4860ba1f5f0f35b7645efbb6eb744415029b6421c78896ce79c34d75e2f8b49cef3fe76b0b1e8a2aac1cdd3041a85582137f5

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
276KB

MD5
3a20e9e9019c34a21d04c1bc8799a3da

SHA1
e9ae1c7c9090662f1c241628d8df1a83c392a4b0

SHA256
5a1de9b7e78b20f32deade41745fa78e7ade050e22bc4bdbd5d34f2d0c808fd9

SHA512
eb6dfb806949fad494d4ee39b2a63c8dd764d89294dc5bae1a513731646532b5f66a4aa289b36e7468a3628cbd1be48cf65e891dbf2ab76abc94e13520355fcd

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
276KB

MD5
cfd3ea672db53b0e63d297146f0b57d2

SHA1
f8393e102602270919101c8756d49a56eafc815a

SHA256
52819ce5053e40afd32be29891bfef4567e5e4740826fafe82325a5b83b00be3

SHA512
1d05def873f562f9c4cc1da2cc0230b9b116d570cc3d31273f0607237b0890a62d077b9cb9c2b8275c27a7c0a05d30bd6a2a5a02ffad22294c0aa21902e09f7c

Download Submit
memory/380-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/380-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/704-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/704-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1212-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1212-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1264-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1312-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1312-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1444-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1444-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1908-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1908-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2888-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2888-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3124-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3124-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3180-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3180-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3248-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3248-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3332-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3364-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3364-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3448-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3448-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3452-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3452-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3544-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3544-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3720-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3776-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3776-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4612-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4968-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4968-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads