berbew | ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbea

Analysis

max time kernel
113s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
Size

422KB
MD5

e864e9c1f93f3a1503a831aff0ee9060
SHA1

a5c2f25433cb1059ce310569c6aa105ba8216a66
SHA256

ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbea
SHA512

3a131e8ccef8f3c1f0aba5c8d2f40bb9de8d754e1fbdbc6717aaf7683ab1bc945d659f55d6c0443ddd379fd34d5c6acc47c7181d69145a2cce4aae491d938ee1
SSDEEP

6144:vjPTktbabO6FSPnvZU1AF+6FSPnvZhDYsKKo6FSPnvZU1AF+6FSPnvZq:LKGaXgA4XfczXgA4XA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 50 IoCs

pid	Process
2820	Nlekia32.exe
2612	Ncpcfkbg.exe
2588	Nenobfak.exe
2524	Odeiibdq.exe
1040	Oaiibg32.exe
1852	Ohcaoajg.exe
1992	Odjbdb32.exe
3040	Oopfakpa.exe
1252	Okfgfl32.exe
2864	Oqcpob32.exe
2160	Pngphgbf.exe
544	Pdaheq32.exe
2060	Pgbafl32.exe
1952	Pmojocel.exe
1788	Pmagdbci.exe
1280	Pbnoliap.exe
1780	Pmccjbaf.exe
1932	Qgmdjp32.exe
952	Qbbhgi32.exe
2424	Qeaedd32.exe
988	Abeemhkh.exe
2452	Aecaidjl.exe
392	Aganeoip.exe
2696	Amnfnfgg.exe
1604	Aeenochi.exe
2892	Afgkfl32.exe
2576	Agfgqo32.exe
3044	Ajecmj32.exe
532	Amcpie32.exe
2748	Afkdakjb.exe
1440	Aijpnfif.exe
2276	Acpdko32.exe
2100	Afnagk32.exe
836	Blkioa32.exe
2660	Bbdallnd.exe
2196	Bphbeplm.exe
1268	Beejng32.exe
3068	Bhdgjb32.exe
2368	Bjbcfn32.exe
660	Behgcf32.exe
904	Bdkgocpm.exe
888	Boplllob.exe
1552	Bmclhi32.exe
624	Bhhpeafc.exe
2472	Bobhal32.exe
3056	Bmeimhdj.exe
1784	Cdoajb32.exe
2188	Ckiigmcd.exe
1576	Cilibi32.exe
2788	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2728	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
2728	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
2820	Nlekia32.exe
2820	Nlekia32.exe
2612	Ncpcfkbg.exe
2612	Ncpcfkbg.exe
2588	Nenobfak.exe
2588	Nenobfak.exe
2524	Odeiibdq.exe
2524	Odeiibdq.exe
1040	Oaiibg32.exe
1040	Oaiibg32.exe
1852	Ohcaoajg.exe
1852	Ohcaoajg.exe
1992	Odjbdb32.exe
1992	Odjbdb32.exe
3040	Oopfakpa.exe
3040	Oopfakpa.exe
1252	Okfgfl32.exe
1252	Okfgfl32.exe
2864	Oqcpob32.exe
2864	Oqcpob32.exe
2160	Pngphgbf.exe
2160	Pngphgbf.exe
544	Pdaheq32.exe
544	Pdaheq32.exe
2060	Pgbafl32.exe
2060	Pgbafl32.exe
1952	Pmojocel.exe
1952	Pmojocel.exe
1788	Pmagdbci.exe
1788	Pmagdbci.exe
1280	Pbnoliap.exe
1280	Pbnoliap.exe
1780	Pmccjbaf.exe
1780	Pmccjbaf.exe
1932	Qgmdjp32.exe
1932	Qgmdjp32.exe
952	Qbbhgi32.exe
952	Qbbhgi32.exe
2424	Qeaedd32.exe
2424	Qeaedd32.exe
988	Abeemhkh.exe
988	Abeemhkh.exe
2452	Aecaidjl.exe
2452	Aecaidjl.exe
392	Aganeoip.exe
392	Aganeoip.exe
2696	Amnfnfgg.exe
2696	Amnfnfgg.exe
1604	Aeenochi.exe
1604	Aeenochi.exe
2892	Afgkfl32.exe
2892	Afgkfl32.exe
2576	Agfgqo32.exe
2576	Agfgqo32.exe
3044	Ajecmj32.exe
3044	Ajecmj32.exe
532	Amcpie32.exe
532	Amcpie32.exe
2748	Afkdakjb.exe
2748	Afkdakjb.exe
1440	Aijpnfif.exe
1440	Aijpnfif.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ifbgfk32.dll	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Pdaheq32.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Ajpjcomh.dll	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Okfgfl32.exe	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ohcaoajg.exe	Oaiibg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Ohcaoajg.exe	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Lhnnjk32.dll	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Aeenochi.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Oqcpob32.exe	Okfgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Pdaheq32.exe	Pngphgbf.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Okfgfl32.exe	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Aohjlnjk.dll	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Plfmnipm.dll	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cdoajb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2604	2788	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcaoajg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odeiibdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaiibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaiibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbpc32.dll"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbpnl32.dll"	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaiibg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2820	2728	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe	30
PID 2728 wrote to memory of 2820	2728	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe	30
PID 2728 wrote to memory of 2820	2728	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe	30
PID 2728 wrote to memory of 2820	2728	ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe	30
PID 2820 wrote to memory of 2612	2820	Nlekia32.exe	31
PID 2820 wrote to memory of 2612	2820	Nlekia32.exe	31
PID 2820 wrote to memory of 2612	2820	Nlekia32.exe	31
PID 2820 wrote to memory of 2612	2820	Nlekia32.exe	31
PID 2612 wrote to memory of 2588	2612	Ncpcfkbg.exe	32
PID 2612 wrote to memory of 2588	2612	Ncpcfkbg.exe	32
PID 2612 wrote to memory of 2588	2612	Ncpcfkbg.exe	32
PID 2612 wrote to memory of 2588	2612	Ncpcfkbg.exe	32
PID 2588 wrote to memory of 2524	2588	Nenobfak.exe	33
PID 2588 wrote to memory of 2524	2588	Nenobfak.exe	33
PID 2588 wrote to memory of 2524	2588	Nenobfak.exe	33
PID 2588 wrote to memory of 2524	2588	Nenobfak.exe	33
PID 2524 wrote to memory of 1040	2524	Odeiibdq.exe	34
PID 2524 wrote to memory of 1040	2524	Odeiibdq.exe	34
PID 2524 wrote to memory of 1040	2524	Odeiibdq.exe	34
PID 2524 wrote to memory of 1040	2524	Odeiibdq.exe	34
PID 1040 wrote to memory of 1852	1040	Oaiibg32.exe	35
PID 1040 wrote to memory of 1852	1040	Oaiibg32.exe	35
PID 1040 wrote to memory of 1852	1040	Oaiibg32.exe	35
PID 1040 wrote to memory of 1852	1040	Oaiibg32.exe	35
PID 1852 wrote to memory of 1992	1852	Ohcaoajg.exe	36
PID 1852 wrote to memory of 1992	1852	Ohcaoajg.exe	36
PID 1852 wrote to memory of 1992	1852	Ohcaoajg.exe	36
PID 1852 wrote to memory of 1992	1852	Ohcaoajg.exe	36
PID 1992 wrote to memory of 3040	1992	Odjbdb32.exe	37
PID 1992 wrote to memory of 3040	1992	Odjbdb32.exe	37
PID 1992 wrote to memory of 3040	1992	Odjbdb32.exe	37
PID 1992 wrote to memory of 3040	1992	Odjbdb32.exe	37
PID 3040 wrote to memory of 1252	3040	Oopfakpa.exe	38
PID 3040 wrote to memory of 1252	3040	Oopfakpa.exe	38
PID 3040 wrote to memory of 1252	3040	Oopfakpa.exe	38
PID 3040 wrote to memory of 1252	3040	Oopfakpa.exe	38
PID 1252 wrote to memory of 2864	1252	Okfgfl32.exe	39
PID 1252 wrote to memory of 2864	1252	Okfgfl32.exe	39
PID 1252 wrote to memory of 2864	1252	Okfgfl32.exe	39
PID 1252 wrote to memory of 2864	1252	Okfgfl32.exe	39
PID 2864 wrote to memory of 2160	2864	Oqcpob32.exe	40
PID 2864 wrote to memory of 2160	2864	Oqcpob32.exe	40
PID 2864 wrote to memory of 2160	2864	Oqcpob32.exe	40
PID 2864 wrote to memory of 2160	2864	Oqcpob32.exe	40
PID 2160 wrote to memory of 544	2160	Pngphgbf.exe	41
PID 2160 wrote to memory of 544	2160	Pngphgbf.exe	41
PID 2160 wrote to memory of 544	2160	Pngphgbf.exe	41
PID 2160 wrote to memory of 544	2160	Pngphgbf.exe	41
PID 544 wrote to memory of 2060	544	Pdaheq32.exe	42
PID 544 wrote to memory of 2060	544	Pdaheq32.exe	42
PID 544 wrote to memory of 2060	544	Pdaheq32.exe	42
PID 544 wrote to memory of 2060	544	Pdaheq32.exe	42
PID 2060 wrote to memory of 1952	2060	Pgbafl32.exe	43
PID 2060 wrote to memory of 1952	2060	Pgbafl32.exe	43
PID 2060 wrote to memory of 1952	2060	Pgbafl32.exe	43
PID 2060 wrote to memory of 1952	2060	Pgbafl32.exe	43
PID 1952 wrote to memory of 1788	1952	Pmojocel.exe	44
PID 1952 wrote to memory of 1788	1952	Pmojocel.exe	44
PID 1952 wrote to memory of 1788	1952	Pmojocel.exe	44
PID 1952 wrote to memory of 1788	1952	Pmojocel.exe	44
PID 1788 wrote to memory of 1280	1788	Pmagdbci.exe	45
PID 1788 wrote to memory of 1280	1788	Pmagdbci.exe	45
PID 1788 wrote to memory of 1280	1788	Pmagdbci.exe	45
PID 1788 wrote to memory of 1280	1788	Pmagdbci.exe	45

C:\Users\Admin\AppData\Local\Temp\ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe
"C:\Users\Admin\AppData\Local\Temp\ae3bdb01ce6222a620235331075a1e1f36423fb01ad756eca3b20c0a7494dbeaN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Nlekia32.exe
  C:\Windows\system32\Nlekia32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\Ncpcfkbg.exe
    C:\Windows\system32\Ncpcfkbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Nenobfak.exe
      C:\Windows\system32\Nenobfak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Odeiibdq.exe
        
        C:\Windows\system32\Odeiibdq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\SysWOW64\Oaiibg32.exe
        
        C:\Windows\system32\Oaiibg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Ohcaoajg.exe
        
        C:\Windows\system32\Ohcaoajg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Odjbdb32.exe
        
        C:\Windows\system32\Odjbdb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 140
        52⤵
        Program crash
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
422KB

MD5
271d3c9cf816590388f2b3968a212bf3

SHA1
f3d90880c89e855f827d063368d784eae6129ab5

SHA256
d14d24c04ba88460d5070b0ef4885fe00118ecd46e2508aa3735bdb7ce9f4cf4

SHA512
a3c1a2c5fc75a86d1b5994550aac1d034f66756006cd76a252c2c34a36fc4819fcae8ac938d4603abf7ebd2bef1ac03c337cf8c4a994a0bdbe59f6dd0bfdd2b7

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
422KB

MD5
ba44549eaf03f75df7b0eff38aa02f48

SHA1
0ec32caff0d110b16d5fe0ab51382a4601367445

SHA256
163d85639cfdbfaeb243380df2954c0272fd32f6af99f2a476d02be33823fa97

SHA512
ea698c381b78dd6c7f0fa4b054e79beb954a68e50cbdaa8f753b9042b6dc7020328db3b2a74923581b70e42a7c77b19134c46e128ae39f5e269e39074ca05cb9

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
422KB

MD5
77f23a7646c44ba3a9aa0e0a84ac7efd

SHA1
bacdb60780e42cb51582cb363cc00469994faa54

SHA256
da1efe7c6f3e989a58a65fefb22321e44dbd1fe4a9f02404e70f5a92b313016e

SHA512
0e60314f32615dd1d5978d23964410b9c6a38cd5d9646311cd1d0522415a547083876f343685837d166aea6439109f29eff400313f38ad8b555a71c14f95262b

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
422KB

MD5
9fbabc08f0e0180620b42680732f78eb

SHA1
7a8b5bad36d4a949d77266fbc64587111355ea8f

SHA256
b890cc119dcb21d326842c28a89400e1298d9ad1840b65c7f939c5a5dc3b3977

SHA512
6c5a5d2cb593d659872d1da69f92ea3fdf9667d18c4c068219a08f868d2eae5a1765c8295d1f6eeb9f6a0ddfe15d154ce0e2fef829a7214c71e210a0f68abf80

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
422KB

MD5
1c542db3f81c9c69c699edb89b41ac77

SHA1
e10227a50d7da5766b4c3f51507e21e1cba7e494

SHA256
76d20742e113ec9e9294f42dbfa63b666ef249f0df041509be7138c51aedefa2

SHA512
7e0e97b9db46c07997f66e9612de579b2b51bfc16c98427f9c40436b356496d936c39dba6a9649be2b58f649f636292ef7a807f167bd6ce2ac5777902e031c35

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
422KB

MD5
1832178dd65244869898315bfbc355c5

SHA1
c6b1e79c455049665a8288a0f0b034a92a1408e6

SHA256
16af1e7c9958f32fec69b777deccb3ece9437d3287c0ef3d1941d85afd870abe

SHA512
9f32e9e3920012b88528e0b20611518b386e5cd3a4443266dc366de4256e5c4f342c659e2056146311e64861060d80c001126df64331241130db9047a707d7fa

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
422KB

MD5
e407a5a13e47dd02bc11fb4941789722

SHA1
4a4fc18c7420e6da0bd70b4aa40e430ab3cb3c67

SHA256
4b7a3796e099f9ba1b36cd935a75c6a4779de5eb5dc26372119a706b21131637

SHA512
fe0dd28bfd528480c85a1401bc42f1628f2c379e5e750729465cd9a09693371e74d993d892f1867e08c861f657c6eadfcf9450063d43c4e107569ebfe79e6119

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
422KB

MD5
39cbf3c5a665face5322828b4c8a5174

SHA1
efa6eb80028fc81d0859c4a2b10879592193d8a9

SHA256
fd7222b47952b4b1a7b19c760194d03d01d4496754f01f2df4f4a4c74aea00de

SHA512
d887c48923e0ee2fc5c34cd8e506ea5c27f4152d1d0dbff8ddcb6efc8ccd96bb588f1fcdcc6781d6ea543048a019b0f030c689997a5d2cf402c4d924f2cbfba9

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
422KB

MD5
adc283ba1370a6261333221df5e6859e

SHA1
745df4846aec79e92585ccd7cd15aa5658c1185f

SHA256
2dfe81ce6204291e98f34144772a8031734ca24af0197d9612e4e73f2b1cf051

SHA512
cf0d78c5d7186f878f15f98164889e40c7c2d748a1071b1af4aceee8d5e999a59faa25905c0dde4b7cff75229937b1579fe436e827fb1460b3e1cc53d3c872a0

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
422KB

MD5
56d401d47e16155a3702c97de9e7f93c

SHA1
3c238ecea1bad39dd18f0fc9a4281cd855d14971

SHA256
988ad9faa3ca08878033a8ef6f6419270cc9f2b9e2e263b4c2727904b2256cc5

SHA512
5346feb67fe24345b456f9404cf3e2471910c0f52dc56f84b52495372ceabb08c62ad1afa2676c72a2945162110f42d66fb215d6a6ddea8f053d8f1c6dcaad96

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
422KB

MD5
17f6546e3e764c623f9f9cf1825c3b45

SHA1
bab77b43b9b53008fa2fe2e597258c0b6bfc092a

SHA256
61a6e9f08bfae749b03b2e29adc935af02a5f56bb9d9cba6dc2bc5135a872e1e

SHA512
6a0051cc97fa206f72d36e3be9aa446511f34d419bf7bda98a243a0bbaf240bbd181e3884dce518c360138fd2b507d62959c8c339e8ba54d5b5ead07c8670041

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
422KB

MD5
8b0503a72e368c0b2a5e37d5621ee74b

SHA1
664afe17023a1cfcaf8dc752841440eaeda94f88

SHA256
451430bd29b4eaabd262a3ed9316dbe0af8bdcfb1e860fb5213db80927d42980

SHA512
862028257e4235dd632597bcf3fe09c989e3579aca249ced9d7c18c586300cd12b9a977fb6e5efaafa502b592b3bc7c66e20aa66afdba4cb5083931efa337d04

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
422KB

MD5
5d1e7e2a2c2c7fca9020e5a01134721b

SHA1
346c0baeb87a1d9ebea77385a2b9e7a7fea92bc7

SHA256
488cc65e939be32ffef57f1d4264a07bda2776b8ba5197c4a0605adbf9b2e9db

SHA512
7fca19814c8df66402844bddd5ae3870f581beead2ac3afa2b48ff14949719805997f33302dd8dbce3caf828902ec93f654306ca76d9ca252a42435115575eef

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
422KB

MD5
c9dc63a15c26991d5204f1c6edb59ceb

SHA1
e67446752221bd55f09ac3d0ec7938511903cb07

SHA256
22f1d80953f2bc17b13ab312ea3a765fb9a0322de9965d63f78de004d9e3368f

SHA512
1bba442fba52d6cc45c5c6d2a43f9007aa0e384d08df915ede5c255a69d6bd55e2288a68067379052be784f1f88707c9b6bb39ac7bc28cb9aa211d5bbf2b4a51

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
422KB

MD5
031bc3cbbcee36b250e31aeb845c5855

SHA1
074a34bfbcf184b2135c1c389b416b0a23f57135

SHA256
d1c247e6788474f942d086cfec9cf3999a55a489fa74134e95b4896b4bb0e15a

SHA512
2f93409895f27503ec2722c34f5ed18ef2e317eef509f0c83e5c6d4a11ad8f3656d4db8ad230d6e3497d21190657f17eeec2247a22e6413b4bd0b69126459d1d

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
422KB

MD5
632f9fe60aa2e0acc6c834cf870a5314

SHA1
c3b76b035db2fe03b29c9b5c4262c5fd98b3e83a

SHA256
7ddfaf59ba42e48aeecfd7460dcf8204cb33b7b0ac86f7e5aa6b04174b7a2447

SHA512
6ee65a069f542287b86699ef0e753650a969e7b9e490412bcf9a076533faa2fae3fc55a1e6c84c65b00c3aee05646d22c311e0dfe58cfaf39eeceb478e04a570

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
422KB

MD5
5458c388ad899d5c15ad853a768f572b

SHA1
b1d88ea422f39cdf9aec1158c013a36f6cf79692

SHA256
eef08ebfb583a24a2c044c5012b7df082ea59a92dc9698dcf89cbcc08797a1ce

SHA512
5a3eba1ca3c012d07365d53861fa4d7701a8cc780c66453de795ad4df069b656255c63628e98753d11a81a2bfdf2fe01d7e76c2f792f7554fa991e316e9e88c8

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
422KB

MD5
34a6c8eb9ecf8525b80ffdd7c357282c

SHA1
7484d65af5c0763a1ba9770d686d2c0ea9876906

SHA256
f9e1902f0ca4e614fc3c1277f1daec58a672cc135bd08ea5899b65595c1c33c5

SHA512
cf8eb49c377f8211d3f615e8cb0541bb24cceda405c7437061f0b66b9dad013cc44f608268cc3e7a1f67ebfafe51ca430ba00e596de6754b31801776b58c8b35

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
422KB

MD5
0740b4e67a676b861a54b15392af5711

SHA1
501a32abef5c1f9e2d3cab47e0f1e5c8e94d770f

SHA256
2579a349962cdac7d5c9138b0d4360f3e5381b6ff0f214d81011372b5df78ac0

SHA512
c237ac80fa2f5552af99032df2df90401b9cf56fe04a8d90e127e49890300f90dd4c5057302fcb840957853371230897aa3ace87862fdf0df1ee446f675e020c

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
422KB

MD5
5e20a0cb284256c9bfff3e4b8d6a5a8c

SHA1
3f384fac06ba476334ce52e7f761300537309668

SHA256
d791071d2a3b1e7bd975927041b37ccc05484ff4e1fe2902e34c9ff325f11939

SHA512
7f8d7d4fdd85686d7ff72f4e2d6e2ddfa9c21415b33eb6a9cabe20e7f00bae583026b6bc95d95491d935657decbad0534ca787f9ac518f0a8c3e79dd3f13fdd2

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
422KB

MD5
52ee3e6772beff99deb7d12d64c844da

SHA1
6e0d9b5887b4a4bbee030d235155eb88a7db4757

SHA256
1dbd41936cfba3c855bae6b055c9b7e864c34911f0f269d2c8f2f7bd03dc026e

SHA512
7bd036e8b2412a7fa2c2f2f47efc45c27d43e459109958fa42f4782c5830684f8f554ded3ed5e53a2bda1979c70fba87ea096c69cd3bc4d6ee6252f58989a6c2

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
422KB

MD5
11b977f4cb8a5bbc9090bb4f2bf3846e

SHA1
fdde8824757f49c501920ef0ca2cf480b9024b70

SHA256
d804df5be21aaa78866923c20d81be192dd050fac63766dd53d0e3d82272f72c

SHA512
e91d240a5ffc5d0321dc3f18f18bf6283c6e1e5d87d6b6ce38abdb32dfdefc7c3b1b41cdd932978e781f4ee3680eea3ed3316d50112efee16f6e4c8dd895c873

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
422KB

MD5
4cfe18975bc5f63f72f4f633ad7e8647

SHA1
9d1519ca1f2780b9cd044b705acaf0dc2d92c011

SHA256
1ea9a12d7dfbcfab8618c73e4e4d8e962c16dcd427f67d9286781e877c148142

SHA512
5813e5df84e5309e2668bc328f725ace5e062625b0adc4216edafbd931cae0829fd5f41183fe6e24c71190c63b187fefa4ad540153d8b989c5733a555ba0bccb

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
422KB

MD5
3434c0f5868e8a1d2fb029f7d2d46b9e

SHA1
4ceb0af6ccd6afaa843b8082394a83b194ae6865

SHA256
97f058a8f37aaa62fa169140e1142eb77b33c24ea32c74ab5d0ead812e9845d7

SHA512
6ea02d8cfce7f1679be320439f370d658e94345370a209e02b024defa4d4d5bbad80af5055ec80c79f6a7e3ea71de188df116eddc03b97a7f919e2c11f247f28

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
422KB

MD5
2970cc4b476d11fec415325534260e83

SHA1
345d1ef707b06e570278a068cb1d5772237d7946

SHA256
5c128256a1c42888e1162be9edeb7b5441057ced25997c279fe87ab2b27b9f97

SHA512
05c750dc9f37e4608e32aeb7b9e1f47dcecf4765b04e7a8cce742fe9da2b1be893fc90092d122e76358bb7698bca6865b434c7d5f702c94f5cff382e1b522753

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
422KB

MD5
f71b47f72a398b7afb152dca96f00304

SHA1
b4ebbaa7822c0e6949d9fb1122bff7e32d0f4fbc

SHA256
d9d4f529bc4ae5ca6ddf5c89de70627dcc5beb04a448ac596b3d63707948b83a

SHA512
1415260fa14c56a20210de8c273b88510714e21c863c714f329134fb0fd93a10030ea581341322d67d6472d4a581bcac906595129e8cd8182151a59c5a3dbd9f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
422KB

MD5
785e47d53b1e149a8760b10ad77fdfc6

SHA1
bfca8b3a934d03e16d3a1668a1abe5ee31c5ba4d

SHA256
33aa5f05a252dc37a4d88e6c4734d8e329eba1c648c5649250356c63c9052607

SHA512
057cf22ebc644473d7e717c72c98fc208bfef624dc77527e7c6a3b98064eb05d73b2c6948e4613147c677175c375e0fbbdc88fbe08f75f206d30742d613cc2c7

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
422KB

MD5
27917f568f59d2588ff92955f732e2df

SHA1
77cd3536e0e4d9ce05537ab573b27b9a6fc38b63

SHA256
491eec07f94454492f467ba309a3f48813a23cb04e0f1ecee928b7f8b422059e

SHA512
3b7da6eda94b16884723816385706dd70d5eeef1f6dfdd9abb908138d96678a67b11c32c848d1538dda5e2b7359783d449664904382678504d643c982bf0e888

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
422KB

MD5
66ba5f39bc0e8661563638f5918d7a10

SHA1
52b8598fe720c23be1f68bfe2c7e7c7f0b8c95e8

SHA256
3c34f1e1aa736d955e2b4e268986d4365607aabb464616937abf74221babc112

SHA512
cd6746c8c067759699cceebcbaeb182f9d8b7fa5640d875f91638273be309912938e9245d15355b4eba5ab6570fe09e52bddd420985a220bcc8f293c426cf5eb

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
422KB

MD5
bdd4b286b03e48b415680d4967a9d00f

SHA1
754435d9c7103fc195314f7ac57d8ef89d0722f4

SHA256
d52c39516b4ade89dff4873c33878b9354916de929cf52a68b711076957d0fba

SHA512
f50fcd0fa959286bb5d4cc16930a0e7fb8f01ee7e90f7e45748704c53673287c9f03c463fe980934dcb9e35f2d67eed23a45b035a3f37719af76ead935e69562

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
422KB

MD5
41f676ceb126d4805a2292b64d4f68b5

SHA1
e7bdf1512723ad58af5ea25a1a5bb84966c1d76b

SHA256
3b8b112579b2125ed0021de09f92bca23d71e8809fe2720133a41d06781342c8

SHA512
271f085726934231ba970acfeae1af11f7963743cea68605c52695911f21421a8a903333ad4b74fbf5d1acbf491ee18653427e35dc3c3ac404d363497760b9ac

Download Submit
C:\Windows\SysWOW64\Odeiibdq.exe

Filesize
422KB

MD5
097c4946fe6400bb69ce398154176be1

SHA1
380427f56cc1a95f53cb20adaf33f51406eebe0b

SHA256
f1389d5c5771ad107d1012fe713363014602a3f7f98610239832f7411f02db23

SHA512
3e2a02dc1877edad09358e039a023b5c0410e89ec2524cdfe5a9f7aa1ec854513fd5468795d36122b28b1520105d7e6e9ec3198892b68d9624abb326b2e4e768

Download Submit
C:\Windows\SysWOW64\Oqcpob32.exe

Filesize
422KB

MD5
21813165a74cb6ce4e63c1cd0633652b

SHA1
ccae12d890e5332ef6986d4b5b313a0755a706b0

SHA256
3ca2001445f417ecec30c2b7ebd97bc701e4242765659aecdeb752b6c36efeda

SHA512
e13bdd837187a7c9da4c8eed68aa687982e43128a60a1b255118b19190baedc7d75373982c178ce0fc4ad1ee4e09ed59c4b6da6596a90b6a453dc5e3a9a3d0f3

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
422KB

MD5
4e110b35e636b5fc9381d2a81706518b

SHA1
cf64bcfd7a2a0e7b128776ed4565888d83da59f3

SHA256
8296b03433053e87f22e7c40a11a55d17e2ffd7b907698e49bbedcca86b7144f

SHA512
034403e66bd13b32a5610d08db5458d5fe9d2aa8b5bc999f30b28fc2744b6b006a17abf67cb038a93ada9210c73a887ab565899fbb29ca734104e5469a87cdf1

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
422KB

MD5
7b576ab75dc6ee18f69737cf406640d7

SHA1
3100a4f761a633a1d4cd0249e9c5dc77f11774bb

SHA256
99af6dbf54241fbeeee2a98bc7cd51ee356d10270758018ec08d17d468e69f51

SHA512
8f2f5602804d7893a6aeb4b65c31e37f56741219af94250af4165034e54d28a2ec39210d30a34a2fd26a30751576c12955f025729fbbbbdeead92b299384788a

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
422KB

MD5
bc8ffcc2fc112310fc7cfdbfb48e68c8

SHA1
a2ea1cf9a66dff0145d5bd20a68b85b6d694003b

SHA256
d0bda98ad27081e486b985214d568d3bd0bda2407cd4d7c9f657684a379f16a8

SHA512
e802d35f2df49a502cc111e3145609a0da408192d153a6b3757829263993a473d8e3f4295d0cf694be07c75ca321e0656ee0a3d3b2e032ad8a36685afe69e6f4

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
422KB

MD5
a5ef5b3c0be734211018380a5bb83e4f

SHA1
8e7970d8438bbf355fc4860f07426df6bf221b4f

SHA256
e60fd957670729ecb0679cc3649bbf196da7283743dfb621fa7665a191b4ca87

SHA512
b021bebc33ea2b7c5908bdbb6882fb80e54a827cbd7099e75ad074f34b34c07aca2b951bdf6e19b8481876941c0f60f6629e70b928147fc30d69ae097828760e

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
422KB

MD5
6e6baaa119348ea180d66f2b4a2ccd81

SHA1
69387cff8448df8bf6826fb74ae14aaa656605a8

SHA256
0c28667eb6f33d89928f9713d6bb3712171b1f0c411f381fda509bdc0d69cece

SHA512
d26d15afb6fa6819794d7a46723b60b1af374f1b9c70edad0005c32516534bf6f9b0f53037f8690e62729136082494da79a94bfda2ea3a885b14d47b8ac4c1a5

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
422KB

MD5
e1c670c9135fd70f65d1caf794d1ddea

SHA1
85f8859cc5b375964069a05affa47b7d9f8b0a33

SHA256
6588f4b503047e4666d882828c10ab709dbce734da72ba4426a66ef4f752ad2a

SHA512
1ece6a9903027d8f0e43946d16ee92fbf4c9cfa30c5cd488d00da1bba6d3a2b77c5b943877a83f376c61e3321604f14a55650126afd4044d380a25bd25026be4

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
422KB

MD5
3e8ce68a546ebe69f48514ec7dc24c6f

SHA1
ee8ba1d3582585489aa343fa77c0f5aacc631ae6

SHA256
0fc5b048313c45b3d255466a274310625b147dd7a246e1f7ee1a8370b2fb2524

SHA512
fe8de691747fb043ac5c0bfacaddf2ed63f854f904cdf8b4442b9cff147d54989eb0dc72298693566c39a3e2d219d3626f99f5c6641c85054ae557993610dedd

Download Submit
\Windows\SysWOW64\Nlekia32.exe

Filesize
422KB

MD5
a906257dc8b797d4fead4b2a16936860

SHA1
48360ccce2bcd405597e4c2ecc29dc376729c122

SHA256
0ee3f0a46c70e92ebc90fc98488ef06f6708e2b63c5121e755af26725af489ac

SHA512
f5b95abab1b44cf37d11ce615125147162b4ab52d5bf5fc1780d3414209137f38d5a13b2b6722c8d3074beb8a92fef1bf749e648e9f34076b680c51eae4f5505

Download Submit
\Windows\SysWOW64\Oaiibg32.exe

Filesize
422KB

MD5
8ca27b656786d86969e435391d449d8b

SHA1
39c114f03ab6d9dee7a421f5abd4307932ecb42f

SHA256
f9ae2212f35e79ac7ff9f6f6dfd408e9beecda2a25a845b229b2428efb2f82a8

SHA512
84bf4a16f0bf55ac3302a62bc0119622c4a4ea7012ccb70b791a11758e1f89af9784289e8f38c261e0c772550ff99b7f7f6a0a20399a89cc270e93b8ab80a695

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
422KB

MD5
248cd2b1414016c5deeae3904be2b349

SHA1
8db55824ac37ad88ece05e01d20131304b095417

SHA256
3e0dada0c5de62f0120b1826c95742a46955c51b4409b540d3b32f80c18a79d9

SHA512
5cb16f59bf9a46dff43540b42a3a5bc497e5eea67cd7544a5879663064aa343f1b5ebfedaa6a83ba6de078ebea8819817ef8cd7e73ef82fdc6d3f5a6dcf310ce

Download Submit
\Windows\SysWOW64\Ohcaoajg.exe

Filesize
422KB

MD5
c247cfd66cc783ffab9f7739f1794806

SHA1
7868a7dd6d201c729c160b4e5e9b9939901a376a

SHA256
74cd6967d0e746522a4fe767d0be37edb2c3296a62d552605945b32a25047b8d

SHA512
6c8fd6975d655f896151267dc4acdff8d3e58796337e55d7ecaaae09c79e52e9ef72a3cbfabc85cbd81832c0015c49de639a81b40653377d6dfa1585630de5df

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
422KB

MD5
53b6bcedd98c752c4d0de37b3a15a9cf

SHA1
e04cf90773472874f34aab48fb80197827205695

SHA256
3d839792fbf3d2f68c42b0a0356750c02895e273b4dfb0afcf6989fcfc63e1cb

SHA512
a1d3a6e4a4e107afa668649d6cbd3868d7a460a1db6fb6b050f276c3f824c2504530a489af9187918c047995fcd37d3ca886bd0e9e5a6e2343f6968bdae7a821

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
422KB

MD5
26f7c5d4f55b251fc3694b1929aae32c

SHA1
9900f96972972182daafe5760fbd1e1086d8477b

SHA256
c95d9f9118919db1e2f1fea090f1dd64b214457a6185e1d78d5830dbf27c7128

SHA512
4ca3cc093b31366b8f291714bb05f72120324fcd8f3418238452b7b85230e720d2c6deab3c4999312694d88ae243d1f7888b6bc80efaf2c38534f3b868180a82

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
422KB

MD5
e1c5f068a34f34b7a90a6bea07f6097e

SHA1
1aad4e70222bd74b11fb2df4e15ff8ee5ffda555

SHA256
a7984d78a9cf3300e48c2ebd9af0ad3d824336df2bad3a865120a4a10d84d929

SHA512
44c0bf368aa216eaefa7244a338f72b118edf55e71501ae482011baae86502da836cb717b1813994f4f32a48d2540a7ac63f2fb5fd71b7a4b4334d2bad4bbda0

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
422KB

MD5
491bc40168072b5b14c8b7971c36f54a

SHA1
b91b79df693cd483c0270714b770713757c99c63

SHA256
625060686a944c7e8fbc3899a38c4caacb548a6c3fbc8d12dc9e10e5169f82d3

SHA512
2676ad34048c92739f27e01669a342aa1272ea750a1a21ef9acb6b56a77cd1dc980032cf8a1a41f7bb396347192cf819fca65293b9a87f36ed9e1d331fe3a4ab

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
422KB

MD5
e3903763a492451165d586e24186d438

SHA1
2e50f75157749259392030e402c3acf3967a2f2f

SHA256
a15d4cd61e87b3941efa8b6d65d2eb1e82a917cf5e49b0d61cae1d9309d878ef

SHA512
e5fe01eba748e0a7377da63aa13c18b068eaaa94cf06c972e46948ab2f20d5ac762c51e903e52e4594d1f318d475cb656147f05fdeca225f8d1ee4798481744b

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
422KB

MD5
472a4bbc4049fba86896d87515d8db01

SHA1
34b9131d95967881dd5bad0adcc464bb7830b4bc

SHA256
2b98ce121dacc5575b5e7cb775c9c1685eb265bc3d1039f5418cf9ac511f381b

SHA512
76e4f1aecea744cbcb7bd23c13735b16de88e89206ca5265c6685d34ada03f1e69b9c3b7d3b42d31b0011747db99fbd12e63bc9a06113eee07b2f8192e0a457c

Download Submit
memory/392-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-302-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/392-303-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/532-369-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/532-372-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/544-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-170-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/660-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-421-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/888-492-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/888-498-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/888-499-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/952-260-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/952-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/952-256-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/988-281-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/988-280-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1040-81-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1252-137-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1268-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1280-225-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1280-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-325-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1604-321-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1604-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-238-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1780-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1788-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1788-219-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1852-434-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1852-91-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1852-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1852-435-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1932-249-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1932-245-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1932-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-198-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1992-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-445-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1992-105-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2060-507-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2060-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-188-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2100-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2100-413-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2196-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2276-401-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2276-403-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2276-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-271-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2424-267-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2452-292-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/2452-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-291-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/2524-63-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2524-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-414-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2576-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-346-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2576-347-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2588-402-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2588-42-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-54-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2588-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-389-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2612-35-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2612-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-390-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2660-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-314-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2696-313-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2728-17-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2728-18-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2728-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-365-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2728-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-26-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2864-474-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2892-335-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2892-336-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2892-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-456-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3040-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-119-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3040-461-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3044-357-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3044-358-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3044-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3068-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads