berbew | 476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7eb

Analysis

max time kernel
115s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
Size

72KB
MD5

3755112e97c6f5e92d1ef2f8bbafc900
SHA1

69f9c810a7dca14dde2e0343d5cf73d8f3151908
SHA256

476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7eb
SHA512

e91ddb6a520604a3d69b583a5bdf23504983ae92eb256d21bd2cd03ce4ddea7736b60aef35450d0b682d8bf59475a38a1034721092152a69208af0746334d649
SSDEEP

1536:x1Q9HXCuzsnym1NRWhSyl2ZNCnqeOuOv01zixSPtOcFyCKdsdUjU/qgB:xKNXCfyYCzhO4+gBB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgodcich.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphehidc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkmfofg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcmoie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pecelm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqepgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnnfkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkbjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbblkaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onipqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Admgglep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhebhipj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdnkanfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acohnhab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alofnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Malmllfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojkhjabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onkmfofg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amglgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkhdnh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noagjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenapck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepokogo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nohddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkaane32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdnkanfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abkkpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mghfdcdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Malmllfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkhdnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbblkaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgodcich.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepokogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqlfhjch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqepgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Peeabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nohddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnkiebib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqlfhjch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peeabm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogdaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgfkchmp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 56 IoCs

pid	Process
2804	Malmllfb.exe
2780	Mghfdcdi.exe
2860	Mgkbjb32.exe
2788	Nepokogo.exe
1956	Nohddd32.exe
1700	Ninhamne.exe
2972	Ncfmjc32.exe
2360	Nkaane32.exe
2036	Nhebhipj.exe
2872	Nnbjpqoa.exe
2244	Noagjc32.exe
1768	Ojkhjabc.exe
2424	Oqepgk32.exe
2212	Onipqp32.exe
1352	Onkmfofg.exe
1996	Ogdaod32.exe
1108	Oqlfhjch.exe
1644	Pmcgmkil.exe
1300	Pcmoie32.exe
2260	Pdnkanfg.exe
2256	Pkhdnh32.exe
2488	Pbblkaea.exe
2464	Pgodcich.exe
2348	Pecelm32.exe
2396	Pnkiebib.exe
2796	Peeabm32.exe
2736	Pnnfkb32.exe
2792	Qgfkchmp.exe
2628	Qghgigkn.exe
2700	Qijdqp32.exe
3060	Acohnhab.exe
2240	Amglgn32.exe
2124	Abdeoe32.exe
2420	Aphehidc.exe
2724	Aeenapck.exe
484	Alofnj32.exe
2192	Aalofa32.exe
3044	Abkkpd32.exe
2532	Admgglep.exe
1952	Bmelpa32.exe
264	Bjiljf32.exe
1556	Bacefpbg.exe
1048	Baealp32.exe
968	Bfbjdf32.exe
2252	Bpjnmlel.exe
1168	Beggec32.exe
2280	Bmnofp32.exe
1688	Cggcofkf.exe
2848	Chhpgn32.exe
2920	Capdpcge.exe
1992	Chjmmnnb.exe
1648	Ccpqjfnh.exe
2356	Cdamao32.exe
2044	Ckkenikc.exe
936	Cdcjgnbc.exe
2160	Coindgbi.exe

Loads dropped DLL 64 IoCs

pid	Process
2216	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
2216	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
2804	Malmllfb.exe
2804	Malmllfb.exe
2780	Mghfdcdi.exe
2780	Mghfdcdi.exe
2860	Mgkbjb32.exe
2860	Mgkbjb32.exe
2788	Nepokogo.exe
2788	Nepokogo.exe
1956	Nohddd32.exe
1956	Nohddd32.exe
1700	Ninhamne.exe
1700	Ninhamne.exe
2972	Ncfmjc32.exe
2972	Ncfmjc32.exe
2360	Nkaane32.exe
2360	Nkaane32.exe
2036	Nhebhipj.exe
2036	Nhebhipj.exe
2872	Nnbjpqoa.exe
2872	Nnbjpqoa.exe
2244	Noagjc32.exe
2244	Noagjc32.exe
1768	Ojkhjabc.exe
1768	Ojkhjabc.exe
2424	Oqepgk32.exe
2424	Oqepgk32.exe
2212	Onipqp32.exe
2212	Onipqp32.exe
1352	Onkmfofg.exe
1352	Onkmfofg.exe
1996	Ogdaod32.exe
1996	Ogdaod32.exe
1108	Oqlfhjch.exe
1108	Oqlfhjch.exe
1644	Pmcgmkil.exe
1644	Pmcgmkil.exe
1300	Pcmoie32.exe
1300	Pcmoie32.exe
2260	Pdnkanfg.exe
2260	Pdnkanfg.exe
2256	Pkhdnh32.exe
2256	Pkhdnh32.exe
2488	Pbblkaea.exe
2488	Pbblkaea.exe
2464	Pgodcich.exe
2464	Pgodcich.exe
2348	Pecelm32.exe
2348	Pecelm32.exe
2396	Pnkiebib.exe
2396	Pnkiebib.exe
2796	Peeabm32.exe
2796	Peeabm32.exe
2736	Pnnfkb32.exe
2736	Pnnfkb32.exe
2792	Qgfkchmp.exe
2792	Qgfkchmp.exe
2628	Qghgigkn.exe
2628	Qghgigkn.exe
2700	Qijdqp32.exe
2700	Qijdqp32.exe
3060	Acohnhab.exe
3060	Acohnhab.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Malmllfb.exe	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
File opened for modification	C:\Windows\SysWOW64\Pecelm32.exe	Pgodcich.exe
File opened for modification	C:\Windows\SysWOW64\Pnnfkb32.exe	Peeabm32.exe
File created	C:\Windows\SysWOW64\Cdcjgnbc.exe	Ckkenikc.exe
File opened for modification	C:\Windows\SysWOW64\Nnbjpqoa.exe	Nhebhipj.exe
File created	C:\Windows\SysWOW64\Qghgigkn.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Cdamao32.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Jpllfe32.dll	Noagjc32.exe
File created	C:\Windows\SysWOW64\Aegibbeb.dll	Onipqp32.exe
File created	C:\Windows\SysWOW64\Mqpfnk32.dll	Peeabm32.exe
File created	C:\Windows\SysWOW64\Ipgfpp32.dll	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	Bmelpa32.exe
File opened for modification	C:\Windows\SysWOW64\Admgglep.exe	Abkkpd32.exe
File created	C:\Windows\SysWOW64\Baealp32.exe	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Nepokogo.exe	Mgkbjb32.exe
File created	C:\Windows\SysWOW64\Mlbpgjjo.dll	Nnbjpqoa.exe
File opened for modification	C:\Windows\SysWOW64\Onkmfofg.exe	Onipqp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdnkanfg.exe	Pcmoie32.exe
File created	C:\Windows\SysWOW64\Aphehidc.exe	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Mgkbjb32.exe	Mghfdcdi.exe
File created	C:\Windows\SysWOW64\Pnkiebib.exe	Pecelm32.exe
File opened for modification	C:\Windows\SysWOW64\Abdeoe32.exe	Amglgn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmelpa32.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Chhpgn32.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Pcmoie32.exe	Pmcgmkil.exe
File created	C:\Windows\SysWOW64\Dhkqcl32.dll	Pgodcich.exe
File created	C:\Windows\SysWOW64\Gaklhb32.dll	Qghgigkn.exe
File created	C:\Windows\SysWOW64\Bkofkccd.dll	Baealp32.exe
File created	C:\Windows\SysWOW64\Amglgn32.exe	Acohnhab.exe
File created	C:\Windows\SysWOW64\Nohddd32.exe	Nepokogo.exe
File created	C:\Windows\SysWOW64\Qhnmei32.dll	Ninhamne.exe
File opened for modification	C:\Windows\SysWOW64\Pcmoie32.exe	Pmcgmkil.exe
File created	C:\Windows\SysWOW64\Lnoipg32.dll	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Aemmee32.dll	Qijdqp32.exe
File created	C:\Windows\SysWOW64\Ninhamne.exe	Nohddd32.exe
File created	C:\Windows\SysWOW64\Mafalppn.dll	Onkmfofg.exe
File created	C:\Windows\SysWOW64\Bmnofp32.exe	Beggec32.exe
File opened for modification	C:\Windows\SysWOW64\Cggcofkf.exe	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckkenikc.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Neikpfdc.dll	Mghfdcdi.exe
File created	C:\Windows\SysWOW64\Pnifdmnc.dll	Ncfmjc32.exe
File opened for modification	C:\Windows\SysWOW64\Pbblkaea.exe	Pkhdnh32.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	Pnnfkb32.exe
File created	C:\Windows\SysWOW64\Clmkgm32.dll	Capdpcge.exe
File created	C:\Windows\SysWOW64\Bacefpbg.exe	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnofp32.exe	Beggec32.exe
File created	C:\Windows\SysWOW64\Ccpqjfnh.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Imhhea32.dll	Nkaane32.exe
File opened for modification	C:\Windows\SysWOW64\Oqepgk32.exe	Ojkhjabc.exe
File opened for modification	C:\Windows\SysWOW64\Onipqp32.exe	Oqepgk32.exe
File created	C:\Windows\SysWOW64\Pdkiinlj.dll	Pdnkanfg.exe
File created	C:\Windows\SysWOW64\Dcming32.dll	Pnkiebib.exe
File created	C:\Windows\SysWOW64\Abkkpd32.exe	Aalofa32.exe
File created	C:\Windows\SysWOW64\Admgglep.exe	Abkkpd32.exe
File created	C:\Windows\SysWOW64\Aceakpbh.dll	Cdamao32.exe
File created	C:\Windows\SysWOW64\Mghfdcdi.exe	Malmllfb.exe
File opened for modification	C:\Windows\SysWOW64\Pgodcich.exe	Pbblkaea.exe
File created	C:\Windows\SysWOW64\Pnnfkb32.exe	Peeabm32.exe
File opened for modification	C:\Windows\SysWOW64\Alofnj32.exe	Aeenapck.exe
File created	C:\Windows\SysWOW64\Ipippm32.dll	Alofnj32.exe
File created	C:\Windows\SysWOW64\Dbidpo32.dll	Acohnhab.exe
File created	C:\Windows\SysWOW64\Djcnme32.dll	Aphehidc.exe
File opened for modification	C:\Windows\SysWOW64\Bpjnmlel.exe	Bfbjdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmcgmkil.exe	Oqlfhjch.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqepgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmcgmkil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baealp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbjdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkbjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amglgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggcofkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnnfkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkiebib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepokogo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgodcich.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abkkpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbblkaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcjgnbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcmoie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acohnhab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfmjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhebhipj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnbjpqoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkhdnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdeoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphehidc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nohddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjnmlel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beggec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkenikc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccpqjfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenapck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qghgigkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alofnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnofp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onipqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mghfdcdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkmfofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogdaod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmelpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacefpbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Malmllfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkaane32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peeabm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninhamne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojkhjabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqlfhjch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdnkanfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capdpcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noagjc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkhdnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll"	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkbjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnmei32.dll"	Ninhamne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbcekpd.dll"	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdfinb.dll"	Pkhdnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onkmfofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbblkaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnbjpqoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmcgmkil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgodcich.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgodcich.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll"	Qghgigkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhdbb32.dll"	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neikpfdc.dll"	Mghfdcdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfmjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkaane32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqlfhjch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcming32.dll"	Pnkiebib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnkiebib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdkkkqh.dll"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimbbpmc.dll"	Nhebhipj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onipqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafalppn.dll"	Onkmfofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbblkaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeenapck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abkkpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll"	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Malmllfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkjpb32.dll"	Nohddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onkmfofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Peeabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemmee32.dll"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll"	Ckkenikc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noagjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceakpbh.dll"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nohddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqepgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiinlj.dll"	Pdnkanfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll"	Baealp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhebhipj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihha32.dll"	Oqlfhjch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnkiebib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpfnk32.dll"	Peeabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghijlbj.dll"	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onipqp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2804	2216	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe	30
PID 2216 wrote to memory of 2804	2216	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe	30
PID 2216 wrote to memory of 2804	2216	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe	30
PID 2216 wrote to memory of 2804	2216	476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe	30
PID 2804 wrote to memory of 2780	2804	Malmllfb.exe	31
PID 2804 wrote to memory of 2780	2804	Malmllfb.exe	31
PID 2804 wrote to memory of 2780	2804	Malmllfb.exe	31
PID 2804 wrote to memory of 2780	2804	Malmllfb.exe	31
PID 2780 wrote to memory of 2860	2780	Mghfdcdi.exe	32
PID 2780 wrote to memory of 2860	2780	Mghfdcdi.exe	32
PID 2780 wrote to memory of 2860	2780	Mghfdcdi.exe	32
PID 2780 wrote to memory of 2860	2780	Mghfdcdi.exe	32
PID 2860 wrote to memory of 2788	2860	Mgkbjb32.exe	33
PID 2860 wrote to memory of 2788	2860	Mgkbjb32.exe	33
PID 2860 wrote to memory of 2788	2860	Mgkbjb32.exe	33
PID 2860 wrote to memory of 2788	2860	Mgkbjb32.exe	33
PID 2788 wrote to memory of 1956	2788	Nepokogo.exe	34
PID 2788 wrote to memory of 1956	2788	Nepokogo.exe	34
PID 2788 wrote to memory of 1956	2788	Nepokogo.exe	34
PID 2788 wrote to memory of 1956	2788	Nepokogo.exe	34
PID 1956 wrote to memory of 1700	1956	Nohddd32.exe	35
PID 1956 wrote to memory of 1700	1956	Nohddd32.exe	35
PID 1956 wrote to memory of 1700	1956	Nohddd32.exe	35
PID 1956 wrote to memory of 1700	1956	Nohddd32.exe	35
PID 1700 wrote to memory of 2972	1700	Ninhamne.exe	36
PID 1700 wrote to memory of 2972	1700	Ninhamne.exe	36
PID 1700 wrote to memory of 2972	1700	Ninhamne.exe	36
PID 1700 wrote to memory of 2972	1700	Ninhamne.exe	36
PID 2972 wrote to memory of 2360	2972	Ncfmjc32.exe	37
PID 2972 wrote to memory of 2360	2972	Ncfmjc32.exe	37
PID 2972 wrote to memory of 2360	2972	Ncfmjc32.exe	37
PID 2972 wrote to memory of 2360	2972	Ncfmjc32.exe	37
PID 2360 wrote to memory of 2036	2360	Nkaane32.exe	38
PID 2360 wrote to memory of 2036	2360	Nkaane32.exe	38
PID 2360 wrote to memory of 2036	2360	Nkaane32.exe	38
PID 2360 wrote to memory of 2036	2360	Nkaane32.exe	38
PID 2036 wrote to memory of 2872	2036	Nhebhipj.exe	39
PID 2036 wrote to memory of 2872	2036	Nhebhipj.exe	39
PID 2036 wrote to memory of 2872	2036	Nhebhipj.exe	39
PID 2036 wrote to memory of 2872	2036	Nhebhipj.exe	39
PID 2872 wrote to memory of 2244	2872	Nnbjpqoa.exe	40
PID 2872 wrote to memory of 2244	2872	Nnbjpqoa.exe	40
PID 2872 wrote to memory of 2244	2872	Nnbjpqoa.exe	40
PID 2872 wrote to memory of 2244	2872	Nnbjpqoa.exe	40
PID 2244 wrote to memory of 1768	2244	Noagjc32.exe	41
PID 2244 wrote to memory of 1768	2244	Noagjc32.exe	41
PID 2244 wrote to memory of 1768	2244	Noagjc32.exe	41
PID 2244 wrote to memory of 1768	2244	Noagjc32.exe	41
PID 1768 wrote to memory of 2424	1768	Ojkhjabc.exe	42
PID 1768 wrote to memory of 2424	1768	Ojkhjabc.exe	42
PID 1768 wrote to memory of 2424	1768	Ojkhjabc.exe	42
PID 1768 wrote to memory of 2424	1768	Ojkhjabc.exe	42
PID 2424 wrote to memory of 2212	2424	Oqepgk32.exe	43
PID 2424 wrote to memory of 2212	2424	Oqepgk32.exe	43
PID 2424 wrote to memory of 2212	2424	Oqepgk32.exe	43
PID 2424 wrote to memory of 2212	2424	Oqepgk32.exe	43
PID 2212 wrote to memory of 1352	2212	Onipqp32.exe	44
PID 2212 wrote to memory of 1352	2212	Onipqp32.exe	44
PID 2212 wrote to memory of 1352	2212	Onipqp32.exe	44
PID 2212 wrote to memory of 1352	2212	Onipqp32.exe	44
PID 1352 wrote to memory of 1996	1352	Onkmfofg.exe	45
PID 1352 wrote to memory of 1996	1352	Onkmfofg.exe	45
PID 1352 wrote to memory of 1996	1352	Onkmfofg.exe	45
PID 1352 wrote to memory of 1996	1352	Onkmfofg.exe	45

C:\Users\Admin\AppData\Local\Temp\476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe
"C:\Users\Admin\AppData\Local\Temp\476cff2c942b9dea7ef6d6f99794727f12f04f455a44927dc902cdc86e14f7ebN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\Malmllfb.exe
  C:\Windows\system32\Malmllfb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\Mghfdcdi.exe
    C:\Windows\system32\Mghfdcdi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Mgkbjb32.exe
      C:\Windows\system32\Mgkbjb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\Nepokogo.exe
        
        C:\Windows\system32\Nepokogo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Nohddd32.exe
        
        C:\Windows\system32\Nohddd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ninhamne.exe
        
        C:\Windows\system32\Ninhamne.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Ncfmjc32.exe
        
        C:\Windows\system32\Ncfmjc32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Nkaane32.exe
        
        C:\Windows\system32\Nkaane32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Nhebhipj.exe
        
        C:\Windows\system32\Nhebhipj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Nnbjpqoa.exe
        
        C:\Windows\system32\Nnbjpqoa.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Noagjc32.exe
        
        C:\Windows\system32\Noagjc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Ojkhjabc.exe
        
        C:\Windows\system32\Ojkhjabc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Oqepgk32.exe
        
        C:\Windows\system32\Oqepgk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Onipqp32.exe
        
        C:\Windows\system32\Onipqp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Onkmfofg.exe
        
        C:\Windows\system32\Onkmfofg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Ogdaod32.exe
        
        C:\Windows\system32\Ogdaod32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Oqlfhjch.exe
        
        C:\Windows\system32\Oqlfhjch.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Pmcgmkil.exe
        
        C:\Windows\system32\Pmcgmkil.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Pcmoie32.exe
        
        C:\Windows\system32\Pcmoie32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Pdnkanfg.exe
        
        C:\Windows\system32\Pdnkanfg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Pkhdnh32.exe
        
        C:\Windows\system32\Pkhdnh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Pbblkaea.exe
        
        C:\Windows\system32\Pbblkaea.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Pgodcich.exe
        
        C:\Windows\system32\Pgodcich.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Pecelm32.exe
        
        C:\Windows\system32\Pecelm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Pnkiebib.exe
        
        C:\Windows\system32\Pnkiebib.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Peeabm32.exe
        
        C:\Windows\system32\Peeabm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Pnnfkb32.exe
        
        C:\Windows\system32\Pnnfkb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Qgfkchmp.exe
        
        C:\Windows\system32\Qgfkchmp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Qghgigkn.exe
        
        C:\Windows\system32\Qghgigkn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Qijdqp32.exe
        
        C:\Windows\system32\Qijdqp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Acohnhab.exe
        
        C:\Windows\system32\Acohnhab.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Amglgn32.exe
        
        C:\Windows\system32\Amglgn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Abdeoe32.exe
        
        C:\Windows\system32\Abdeoe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Aphehidc.exe
        
        C:\Windows\system32\Aphehidc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Aeenapck.exe
        
        C:\Windows\system32\Aeenapck.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Alofnj32.exe
        
        C:\Windows\system32\Alofnj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\Aalofa32.exe
        
        C:\Windows\system32\Aalofa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Abkkpd32.exe
        
        C:\Windows\system32\Abkkpd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Admgglep.exe
        
        C:\Windows\system32\Admgglep.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bmelpa32.exe
        
        C:\Windows\system32\Bmelpa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Bjiljf32.exe
        
        C:\Windows\system32\Bjiljf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Bacefpbg.exe
        
        C:\Windows\system32\Bacefpbg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Baealp32.exe
        
        C:\Windows\system32\Baealp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Bfbjdf32.exe
        
        C:\Windows\system32\Bfbjdf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Bpjnmlel.exe
        
        C:\Windows\system32\Bpjnmlel.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Beggec32.exe
        
        C:\Windows\system32\Beggec32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Bmnofp32.exe
        
        C:\Windows\system32\Bmnofp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Cggcofkf.exe
        
        C:\Windows\system32\Cggcofkf.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Capdpcge.exe
        
        C:\Windows\system32\Capdpcge.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Ccpqjfnh.exe
        
        C:\Windows\system32\Ccpqjfnh.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ckkenikc.exe
        
        C:\Windows\system32\Ckkenikc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Cdcjgnbc.exe
        
        C:\Windows\system32\Cdcjgnbc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalofa32.exe

Filesize
72KB

MD5
6f12b2604a6f84bd42832dd61bc5c69c

SHA1
dbbf3770051cdbab66b69007164dd48cecd84e35

SHA256
8771751b620863ab28d4eea1f418df929a628bf1e7242807b42d348171a88f1e

SHA512
3b9db39eb03785aaef5aed835c5b2434b6b62a848a978fc596fd63d273bb549a93ec425bd1733acea28ec5fa4e919275d89637826b095598b5bf9ca074fd0c2e

Download Submit
C:\Windows\SysWOW64\Abdeoe32.exe

Filesize
72KB

MD5
75a745dc8c60258b2253ad518e88a229

SHA1
7ddcfcd7652bb6adc1ade2fb4dd34496ad6b277e

SHA256
846c36f6bcb22602cd7498d25e5e8ae998fc2754ebc772c6a041b3bc2ce40ad2

SHA512
89ed106775db9939ac7ad637864035144ae0353ae6425c1206c4f5554f2832b40e0591898dbdd8650edd10cc14ace183ff87064c46eb288b1bf029e26c146618

Download Submit
C:\Windows\SysWOW64\Abkkpd32.exe

Filesize
72KB

MD5
236ec4873ce4f9aa2ed068853ef584d4

SHA1
71afe2d046b0cd0888cd2bb9b35fc9b87b695780

SHA256
08d3f512c1e5458fe04afb8a0707f0169abdda21af7a4fb0543a581c8a017552

SHA512
1994a5487f3671d3bc45a1d814a30ec5fae4fbee4baf8f3682a053558b036c473f4e31d602461b4ed3d3bc144e600a819c377bf83a11dfc0d93fe7300398f73b

Download Submit
C:\Windows\SysWOW64\Acohnhab.exe

Filesize
72KB

MD5
903a7a67ad6b0641a57e5ee82780fb0c

SHA1
fc9cd01dd4596eb9e6d73c0d066aab01182509e2

SHA256
34a40f703803156ae4b31da16730dff75bfdd4438f9c77acb5041ff1f9c08990

SHA512
55c416ae2de9cb788489dd9a4da10cb10525562933fc54210cec5a89366040e970518872a1b765bf76c65370d3d1e34c4c193ccb185029b2b46be5609fbc2d73

Download Submit
C:\Windows\SysWOW64\Admgglep.exe

Filesize
72KB

MD5
4793c7ebe52cf613bca80d5246a2f468

SHA1
89b5bf5ee4f1f252dcc079352068daaba7403f0f

SHA256
0bb1b881ea2643447bfa3c7e789176ae8e9100778b55177e8bf4a5efdef3ed24

SHA512
5ac69debb5d1380c2f117ff1549f035a19411c5f9ef723bc6b0b38c269b0f4faad4941a839bfac33473b2f6362d43c8529fd42af22592276ccceb16733869548

Download Submit
C:\Windows\SysWOW64\Aeenapck.exe

Filesize
72KB

MD5
2ef798036c9268a5211201d00b085fe8

SHA1
7995c9e8ca85d2352ecb92eeaca6511ea6899a13

SHA256
15915ae3e3c5add13c52694263bfacca602dd366db2969b58ae5fca3fa651cae

SHA512
559aacb97aeff696cdd2243abd9959e26a3bde67e6ffa572dd420d610f2ac7f813b84fd29ab798308fcba4a69fe408b642f661d469fa9927f98bc17e05cc382c

Download Submit
C:\Windows\SysWOW64\Alofnj32.exe

Filesize
72KB

MD5
11675ee2e91f65fe3a7681763dd5b58b

SHA1
44ef320db945100979715feb8a5f239115937bfb

SHA256
3fc9172800b3c06bb39083bd2083e6c6009c5eec77100d1d17357d0cd9e65c4a

SHA512
4ae338b2b36693a401f0be783497dc6b2be924da1de1feba4674af00276209e49571e41e19a21a57c9a4ffa9f711b067672154891f19a6de72abf2ea15277c42

Download Submit
C:\Windows\SysWOW64\Amglgn32.exe

Filesize
72KB

MD5
db1c66b74d6f89cb8d282d439f638ec2

SHA1
de925561041fcf4f806009efbdbffee00c330467

SHA256
c5a18857b16a18101a720d8276e6e76d1f8407796e3aea1c240b3bf3af68c2cf

SHA512
c3c9bd2c4d62cc4a5849df3f59a5efb5e2704e6e70c6c87f70e4c12f0dcb5d7d2bc665cce45d69cb1cb919c4415156177cc94fea837a4734d8c335e7f9924965

Download Submit
C:\Windows\SysWOW64\Aphehidc.exe

Filesize
72KB

MD5
7906ee1c2e18a4ec9ad8d17ac93a2675

SHA1
81b6a0bcac7ac086f955b1872cd666be73f5b638

SHA256
30225e116dd10264b188195f8b3fe15c49fd8275a1a65df983d369443b6eb91b

SHA512
1ee03e850d8a5b4981c8e17d7153f57c0436665e13ada3b859761486ba8067fc3db0349e328cd3f7b54e777ac353d803b29810fbbfa7b4237140103fb2d1ea01

Download Submit
C:\Windows\SysWOW64\Bacefpbg.exe

Filesize
72KB

MD5
ea45eb8e7ff18bee2b34ea3fa984e351

SHA1
9a92139ca3354ec0f5345102200ab0d4e816a3e7

SHA256
e97a10f36703dd60a9c18999ab8639ae3d2d7b40d7b46f4e4d39e539cd0560d5

SHA512
7f2682a6a0d495fff3efd881d6eade4cbc90d7af60c19182803757f5373715751c7734b908a462d0432a542aadd19d17bd34fd9880db24630e6f520ef46190b9

Download Submit
C:\Windows\SysWOW64\Baealp32.exe

Filesize
72KB

MD5
910ebacbdec6589dd85e0077648b37cb

SHA1
fe4adbbce6320ec89f78c197a20810d93b53fbd6

SHA256
d052ab8f5ad26a61de562c081ebd976fe0d557f125089211fd220b3f57e7d4f9

SHA512
528101488ad5873aa18fd3aad54021f8bfa33948851478a3edef72b5f30c3c98b23baa0da9f5dbf23801de4f2937480c25907ed4e6681a6e9f0509ff1e4f1eda

Download Submit
C:\Windows\SysWOW64\Beggec32.exe

Filesize
72KB

MD5
c432b8e7ae2409abf29cb3f092fc6bd8

SHA1
07ca4a6207ee474cead3c230272525ac8951da87

SHA256
09e7c5fa57d3fb8ce642a3548076da7a9d66daf754d3d918a89af9ad1196ee9b

SHA512
be6d9415091f805c1a76d95109a080b11584903178595af6387c1e7d0fa0b257ee0b360510e9caeff2b7be31fb2ea66b43e9abe59a4017f51309a58d2373b5f0

Download Submit
C:\Windows\SysWOW64\Bfbjdf32.exe

Filesize
72KB

MD5
c4d43bf334f1c7ead331d4fa62c790a8

SHA1
56aa5232a777bdc04fd21b22d73d6560d27cb0a9

SHA256
785ff5e892d2c64265d8fe9c0443f813112511a9e9cbdd9fdaba5ae46cbea235

SHA512
25b2cd012d6d1dcee0cfb935455ffa7d255f22e5b55154119c5672b1fa15a590993ef02dca963109555f1443045b37b9f027b749454ee22e86e6117c71f3df8e

Download Submit
C:\Windows\SysWOW64\Bjiljf32.exe

Filesize
72KB

MD5
402b55fb8b603c0fa2c1cfc930b6f7c8

SHA1
f3016827f25d746cd597076eb7bf985abad1469d

SHA256
105bd37ea43911fbfc9f008b5a2df807d6a0abc552bfd248ee50f8654341a6c0

SHA512
a1fb9ea7ea54ef81c0bc9984c3daf8231c3c64ddf01f186d6925bbf4e2ef832ed23c9913a7eb77d5583ea8ed10f63e8249c933b60c5fefe75d8068ae7d0ae474

Download Submit
C:\Windows\SysWOW64\Bmelpa32.exe

Filesize
72KB

MD5
e8b807f77cbb95143484fb02a394b273

SHA1
a2d2cd82e63c80763d37cf23de8f804a9491c649

SHA256
7f99ad799e8402b2537897cc8ae4c41b0459f6dcdbebb8f26e4432d3fd1e37b7

SHA512
53c974c5d447be9c523a437f9f4e0e1c14ffb0af08ebc7b8ba4dfd94df442416e6268920694aa7de92fb0948382dcf89b9393179a9336d59d836576f82d3ef3b

Download Submit
C:\Windows\SysWOW64\Bmnofp32.exe

Filesize
72KB

MD5
3add7b3e44843e1027e9f6ac0a9e35b3

SHA1
efaf21a9292a635e75d97c36fa932daf0484f23c

SHA256
18557473a1312b301cfb8ab853c5df9fd606f61edfe02d0bcfd954c45efb3b37

SHA512
56c610c1fe9ff526d7f6278c8f1d9d5fe69cf5afc4aaf114690eb869069a9c1685c6941af8ae5d55427569f2a1edb4c39e1f73e5ecb2c639db3bcb1c0583729a

Download Submit
C:\Windows\SysWOW64\Bpjnmlel.exe

Filesize
72KB

MD5
63038ae837109892c617f4edd2e4c8b6

SHA1
c9c0e5585fb53e0cfab1bbcf5ff7bbbbf3b44a8c

SHA256
6f738f69da1d570ab5f2215a8d40c55b74db9f48cab2cd96c07410068d71731a

SHA512
56ceacd3da4c8ccd8bdfa15e635650aad0317f738973623904d42f85efb822cf2aa37d91be3e56dc3340047394d3c218dc8e7392622366683d4de22798ff1b94

Download Submit
C:\Windows\SysWOW64\Capdpcge.exe

Filesize
72KB

MD5
fcebd7ebabfea363f2a5599bdc9fe4e0

SHA1
c17395778aaf0e58a1f94b45b6d3f975cae9b695

SHA256
c8ad7efb77722a2222bf5b8f2a25e179fd708658913d1715ec56879624100ed2

SHA512
0f22542f0456c0ac1530950691da16cfb76eb4b031e6ea61d2663e881707648d88110be367108cfafb42e164cc268e935115940d987547f28d7678d97ec65e32

Download Submit
C:\Windows\SysWOW64\Ccpqjfnh.exe

Filesize
72KB

MD5
f7913cdce832616fa3219a01a5df327f

SHA1
bc4348bded3550b65a548214beda4efd2c5b0abd

SHA256
713f8a1cc933903992b612b9056d21900b2842048fa3c72c742224202915175c

SHA512
09459b929778dbc705e0f5162c5f5194d017739c95b2261ea9a3a8b49841751d8e7110220e34f6249be2d5821ce850dab73aae9c80c79d6104abb26a9f447467

Download Submit
C:\Windows\SysWOW64\Cdamao32.exe

Filesize
72KB

MD5
3c7feec1ba63d9a16985179afb31bc87

SHA1
67b377d845f799e9aa4c1f4b810da1d7ab122273

SHA256
a07fc64fdb78a4ba1ca4645cead2b270bfb9d48feb11c39af9c046b82a040a4d

SHA512
2b1097c764d6a095779590a31fe33a51d10cc7f8ae2a457ff974c0b2266ea0863ed3c556027f4b0cb66432e27d0e2df9a20c560c120c38aebfca6d965f44bde9

Download Submit
C:\Windows\SysWOW64\Cdcjgnbc.exe

Filesize
72KB

MD5
4aa6f14b355f7fe926e4e8cf2c9084e9

SHA1
2e01116fd64cae532fdc8a362a9aa876d6434236

SHA256
19b72cf80f94055d41c06c78df1f60b36be994f70344cfaf703bddba6bfd5908

SHA512
7f650e0dd14584b9dd87cc7b2b186d15bf38ea7d6d1118fb42b1764ee12af1245f6c387457c85aa9474561d903f769f0b5b12850c10dc2ec9529d730eb467020

Download Submit
C:\Windows\SysWOW64\Cggcofkf.exe

Filesize
72KB

MD5
95428afd99ef5bf5800b953a95d85fad

SHA1
754420d836415111f6238663fd180872602409e9

SHA256
396670c0f919f97dfc4f66442495957717a091e1d9c1a455b1cc7763e01e710a

SHA512
dcd512ddf217abf5271daadb1b30c5125e9887ea323740d57bd27542d56220ad41983d8a349fc82fd264f1769273f4f5880b82b42f2e0c4cdd0e14347ff7fe99

Download Submit
C:\Windows\SysWOW64\Chhpgn32.exe

Filesize
72KB

MD5
ca7d5f5ad253e9beee2e6ff51447c828

SHA1
743788c028fddb3f5c66fc60149ce144222f028c

SHA256
6f1254bba2e5603b162264aa56dc801f8446dff03282e367334ce9729033aafb

SHA512
6b9ba69cd1d25ad7ee5f541b0199377b5a0f2547e62b007b12974700a6dfe52f08c7a148684484ee9a049c567f20141e0f21ded74cd3bb3e318f84a796be7cad

Download Submit
C:\Windows\SysWOW64\Chjmmnnb.exe

Filesize
72KB

MD5
a806488aea0361f243a7488cf8ba8faa

SHA1
33623aca4255af55da1a2ab08dd4d7e10accf3e9

SHA256
9c07532a0336dcd9904cd39a5cae4d7c427099fec975fe998e50e493bbaef077

SHA512
dbc31daa299c5191cc4185d4cece16f2f3a36b6983b89c107af113cc5fbf726b15fde5e243e7a3194a8634a5d45e616ec36a4437bb8cd7f46ed16a4d782fb817

Download Submit
C:\Windows\SysWOW64\Ckkenikc.exe

Filesize
72KB

MD5
b9d8fb84901f921ccb7d519dbc34a742

SHA1
c1d89b0ea3d638c251f01928b0eaabdc88e0b15e

SHA256
e0bd411bfb3dd19f906747ea50ba5b27feb666da3b26c51b3125aeae39257a84

SHA512
29fd70bd4c989204cfa3d65586f0504d0b46b7c0b46e10849941f34fe637d053f8a1b13d58a4ead9cbd9e3bb6125ad59ada8193b10eb5d5797ff701d57e1a667

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
72KB

MD5
c8cb37165496a880e8b2a98094fcdb06

SHA1
26da031fb590d575f19e54dfda43065c494b777b

SHA256
800e67145a0052a1191e88ebe7d88e25988075ebebe2a481e9f553ab91bc145f

SHA512
05ca3c586dbde15085ba9336d0c2fa0a8ee7c81f3a686aee7989bb2ce3ef926ec7dcd908e87e50076e25e3664ac862df422315c3385e04695fdf0beacdbf20ea

Download Submit
C:\Windows\SysWOW64\Gfjkqg32.dll

Filesize
7KB

MD5
89f7e8145593afdac9c373b9a660c9a9

SHA1
67ec7fb75425ef2b31e17bed34c263e43dcf3ff1

SHA256
490fba2b9c43e7850438601182583db8325ed39fea5a0e4ba1d348efb4d8f48b

SHA512
1f263307c6829b7002c7e8af8264b24766cc669dd9e65e39c03e48ad75d2d83f3604f3001e5a3a8760bc5d69b310a4e712e94539411f3c7a20eb54a062f14a10

Download Submit
C:\Windows\SysWOW64\Mghfdcdi.exe

Filesize
72KB

MD5
9ec0633f3e5d8e195b3f1e204a86673e

SHA1
bc2fb1abfa5693b04136fb835db5deb7388bde5a

SHA256
ec196631307747a73d4bc73df82c9c1e3bcc46791dd0a6e690f62372a6a8685d

SHA512
814c5a0da7c2bbf242514c970d4e8ccb1784475b4d4560a8ba52043fca55825fb6e4c18ce04d82582ce6b5807ef0b475d97a56e63b27e5dddda0c980556cd63f

Download Submit
C:\Windows\SysWOW64\Ncfmjc32.exe

Filesize
72KB

MD5
3a9151528262b9bafe0d998301fc9490

SHA1
e2d6d6c720082642868ee3c5aa9763568312a114

SHA256
4e2017a3846383a655379085f61a6bd28e85e78a1a13ad92fd4ea34eeabdf8c8

SHA512
0c49987e1886d9c34b70697fdeeefebc6b77422bf8429df1ac0f44060f1cdd84b52d455876ce6a0007771b855aac713c52cfb5174cf2149e229f2be384a9e1c3

Download Submit
C:\Windows\SysWOW64\Nnbjpqoa.exe

Filesize
72KB

MD5
6c8c68d5a549b6406c5ff6b98288c76f

SHA1
02c73e8c1b3382df5ccc3e8b47a2df7deec4bd04

SHA256
8fde826c5ec9046fd91823d97b3910cda48b71b1f6ab010979dbc5b708556c51

SHA512
a290a4537d00e30051764f9900572b17ba8fb770c4f31542a99f2dfb7830ca2c5df11e39fa3b4fac52ee926c7eb58e4fb502d51ae5c617f43079c7c151b45143

Download Submit
C:\Windows\SysWOW64\Noagjc32.exe

Filesize
72KB

MD5
f9758766c2e5f5d1b5cf426690833829

SHA1
c10d86e8680a9e7735d736534f8bdaef9ab3e1c6

SHA256
4c959638a076026fb9a7d19923f9fe35982dc64608d712d414774a87ef99a1f4

SHA512
f43f7633fd6814305bb7b11810804a77105d1b4ef88a5f65fb18ba670df8af5ccd2efde2ed101a5247f56e527435c61098b7329eb995e45d12272cd9246ed025

Download Submit
C:\Windows\SysWOW64\Nohddd32.exe

Filesize
72KB

MD5
db85aa506768214e9e6d98b400d5506d

SHA1
72244d7bb95dad269fc973f00e6c30756f93a6a2

SHA256
d0a248c9ecf018f4af9d9b9d08f6c458dd70124b1e602406a70c79dd75305148

SHA512
19211dfbd1994346f11c4cbdbca46ea136e351381c6b4257d044e0a2efe0df127a2d37941299ccc26b5d803cc534371f2ff3a25baaa1f975c7037e47cd0e1c4c

Download Submit
C:\Windows\SysWOW64\Ojkhjabc.exe

Filesize
72KB

MD5
578922978f4c37be734e003bc726a605

SHA1
80bb9638fb5c85e78d23b7aa1d903d495e3c6e7f

SHA256
3b2afc5a7b0ed0f51dea3ebc547523f088ea4dd561cd047f26cb15bf7edcec5f

SHA512
3a9aecdabdb7acf828ff9ef48d92c2b2f61efeb2e2af2c4e2eacbe1d8f8e1627a71097fa3cd17286177371ae7432be748af6e443bdfb2c09cf2aee1797aa04be

Download Submit
C:\Windows\SysWOW64\Onipqp32.exe

Filesize
72KB

MD5
ac260dc043dcd07775931ce13460b18c

SHA1
9526f2c499274a8a180f54fa5f637597f7a1d036

SHA256
ef980494b197ea775525d12e53f032c35eda91c3cdb3d7bb1678a6d9c1644972

SHA512
839e2f3e4554d1696f871cbfbd42178cf0e14c609f9869178eeba2cb1398b03e33cdd549455d46fd71aaababcd3c53f14e75414aae374072fd4f8d62a2348751

Download Submit
C:\Windows\SysWOW64\Onkmfofg.exe

Filesize
72KB

MD5
09947995588a9ba2bd2053f54bbacf62

SHA1
22803e49d40e94bc95c701571f164eac870f2f2a

SHA256
7da6375bf21b94db1b46299b039341756102f7febe3abb0f7ea09d97df008cf0

SHA512
71d5d4b667d043ab8dea75dabce7a1aa889e6aafe5969d935bd7a9f156069b8509b2646502a1ff6077949d5809552d4120d38f24dabc97975dcb9321e4b4fbfa

Download Submit
C:\Windows\SysWOW64\Oqepgk32.exe

Filesize
72KB

MD5
e39ee2a2176a0cda9511a4842a2dd721

SHA1
3e0f09dd18f9af6281a77394fcd3e75fbb07ddc6

SHA256
b669f05d1a0d18274730e43b52c6a9737f1dd2be8d4ccb6d72a41db82082a4d8

SHA512
b9839f3fcb2bb54fba3425851988720af5b606b46a22398066f95cbcc942ab45d2818931db36c3c2c5e877097bedfdc1f7f86688010b684e5289d0594c2076f5

Download Submit
C:\Windows\SysWOW64\Oqlfhjch.exe

Filesize
72KB

MD5
54823cfa2123fc012856927cdbaa0f82

SHA1
b42dfdae3371d791e4ef5a6707c6ae6fcee1cbe2

SHA256
4f3bd3c45eb548ae7f53836201300ff870472894ff61e5b848dd5b04cf0c1802

SHA512
bd2b396afd4de6735f400e4dd21ae91eb490243482797d3b7583e6ce860bf17dde92a4baa4b572625fb3199c05122a0a83ff29345fc2b2774278fd452cc80e87

Download Submit
C:\Windows\SysWOW64\Pbblkaea.exe

Filesize
72KB

MD5
8a135a673afb8963290d30c98a9cd116

SHA1
0b418ba7b76eb1a969e9349e5a63ab0b94692677

SHA256
4738218dbf88520ce3a4ffb4fee9cf5b5d5169b9f7bfcfc6e2d55da6390a6846

SHA512
15944b8ac73dc2f48622f72834b7098ec95db1991463bbcd68b849d3a1114a42c6410d372d18debf05d70e2e9c879547088b144168e19e114de07fcbf03306c2

Download Submit
C:\Windows\SysWOW64\Pcmoie32.exe

Filesize
72KB

MD5
a0852fa5fa01bc7ee917065c4dab9d96

SHA1
d369b3cd3b12c1b1f9d0180825ba040c021bcf9a

SHA256
4daefa707eb556e525f32fabf3ece5c1f90d5715a779c40093cf953065436b0d

SHA512
7b39249e82dc964c363557579d4b1746b36d880294b1c58959bc6069acbaf29f40dc0398e23f19c19ee73192ba8cb6dcbee6fa67e565fc5fc4c30220ed6cbc18

Download Submit
C:\Windows\SysWOW64\Pdnkanfg.exe

Filesize
72KB

MD5
48472262410a1f438553c8851ec3f680

SHA1
67dfd63b44dd7058334486703f554cad714ebb42

SHA256
ffdd58557354f876868677f16251a7fdcb5333a9de7cbd3532ec0377c30024b0

SHA512
c3a8ab19e92e02910a30c9d8375ee58f93417851a375065fe172fe338fede8e1ae13d5b405a6ff10941ae1c932f4d411203f9c326b50bab92eac22b9138cd8f8

Download Submit
C:\Windows\SysWOW64\Pecelm32.exe

Filesize
72KB

MD5
a2c4187b97207fce846ad17e873d6785

SHA1
d9f16c8480af83f195d30ee4b951f370cd9390c1

SHA256
1e0ecb6497e4b54d07deaddab0378f744a690c9b3ee11fae73b303431d6b1549

SHA512
ba772e73fdbd69fdd105d56ef84f193c44bc98cee2790943892182d0bdd1cfe6081bf4244ded567dba253d83a444cbbafae83ce65aa1de75faf3c8f6a21d94d9

Download Submit
C:\Windows\SysWOW64\Peeabm32.exe

Filesize
72KB

MD5
c8d93906cd7dbd4fc44ed0c93fc51274

SHA1
d55657a0120615f0357a0ac387e3b562b70b8e4e

SHA256
e2a7df2ed710e3213e4ff7dcec6da51fedc6d29b2fbe4b9b16988a39361ea3fe

SHA512
c418b03dcd1e22dc774313b5f00dd20f39ba8d0439633ae5af12cd6a6f748d153e4ed0e185157c11c0edfd317912f4c1c29f7d3451d6d08f9b8199c3a84f377f

Download Submit
C:\Windows\SysWOW64\Pgodcich.exe

Filesize
72KB

MD5
588e8c761a6ee755d483a13bb342e75b

SHA1
b4f4c344af1b76eca1dfb9328d783d0337f07fc6

SHA256
4038a31b143453853c20bc4d2b9802990e15a004b6dad6fb160997abcda7ae22

SHA512
bab0d35e6bcc017293d74100bb32c0c8cc51e39036f837528b5400f7da665a8a156cbfa3c4d789d50b45cd0a61d20e20501d2135e596cfbcdad6372b66a01dce

Download Submit
C:\Windows\SysWOW64\Pkhdnh32.exe

Filesize
72KB

MD5
e1bd54e5ec7e7dcdd40b801cc11a26cb

SHA1
d2f2438f8374ffbf22737e5b95a0c9418b1ac37d

SHA256
f087759a34cddbbe6663650b60c4f8e321cc29f8cab977609a02ed7ed234109d

SHA512
36f0bffb6a648ed6e82369ce8ad65a13d62af240bc873a1af32eb072b32c8f1ca54b8a0f2f5cb55a9178c6a512ccf3aeb787f60bb884fe95c641bc8b2f99fc53

Download Submit
C:\Windows\SysWOW64\Pmcgmkil.exe

Filesize
72KB

MD5
ede616195c7268be41982bdb922e5afd

SHA1
0445a5551154da01344b063302ef9d996aa4b434

SHA256
cb57ff237ec93fe90ea45e5aa302d528cd8a6f80d8332c54b10125a30bb48bca

SHA512
084205b13d9c733036d688fc34d3f0452a498b47131e400a69eaad3e0a7090cdcaba64811d638a2254e80a6f510bcc87bd0ea4e2de666fd6933ce07abf34c2ec

Download Submit
C:\Windows\SysWOW64\Pnkiebib.exe

Filesize
72KB

MD5
784a07aa8f7e6de5d7a10e25bbc36de1

SHA1
fe768f47f33cae36561aef489993a354665ae67d

SHA256
44d4f46a12f647f8c3e8345f73421b6207bc7b3eaa82739bf19bb532a5c356b8

SHA512
faef9dbb0d9414b75aa85667da5fd065b78ee567c40c3bf28f576626a5afb0302c30ce454ed3ddc5f5eb0ca5bb59d9647e04f395c6ad734bbfefa5bc6fa1d914

Download Submit
C:\Windows\SysWOW64\Pnnfkb32.exe

Filesize
72KB

MD5
660b4ce099cf9641d98f80f7a7f8af62

SHA1
12d6afc03a3831b0b746479d2de83b9a1592370f

SHA256
7c48c8a2c33ff94d0a16468b768336fd9e91fc64ab264dd3eedd2104f1b73e89

SHA512
01742717b31ff154eb60d8f76bf0534d6f001172b61d4c007ca900f12c5ed74958040c3d1a90ff3b73f0d8597a2072c84674f2dac55dc29a8fa9bd20e61173c6

Download Submit
C:\Windows\SysWOW64\Qgfkchmp.exe

Filesize
72KB

MD5
acf2148c2d9c3985d840821601f3b9ec

SHA1
545694e98b89665d2419d0519dac5a3908870e21

SHA256
876d99cc67636db61b6630170e007697b2b4e457a8b00c00922e30bc4163ec27

SHA512
313f06cdc124db98f446c9d5d4f756f9c6b48fa5af42593bd00de42ced445d252d83de3eeb9a8db48b7b91d7dbf4d51747fe451c4046a315f024794dcb0ff88b

Download Submit
C:\Windows\SysWOW64\Qghgigkn.exe

Filesize
72KB

MD5
51416b9d63d01526610ba7e51bfa4afc

SHA1
00f9617cdb31ece187708807ce2fb9c0b5833f02

SHA256
366934adac558884180f782b341531d6964c6f909d3579f33246205e18fa6d06

SHA512
3fdd3545ca4579bccd432a9693b5ec9e5099faaef62f1de792970077359a89249972ee9570ec133b6d4f4968a05521ecd37fe8b839a707b677de005a055ae01c

Download Submit
C:\Windows\SysWOW64\Qijdqp32.exe

Filesize
72KB

MD5
434485803804658b52f572804f2598d7

SHA1
a9fe47bcf750495c088f448ddfda2a4b0f46ac36

SHA256
7a8de25a6af2f38e199a9375b59acebcc4b8afd7262dc8205e9567f69d535ecc

SHA512
efd28d92343364576c34a804444ca917720c209ecfbe133f8e745ea844a1698c233a3316bf7ba94d05a7dd33a6f6767c749820210bfdf3922697cf06dbd1046a

Download Submit
\Windows\SysWOW64\Malmllfb.exe

Filesize
72KB

MD5
e4b8d0695a7b753e005191eea92bd587

SHA1
645f8bc3b50af81b67ee7b56c6b4741208d3aa8f

SHA256
e469e3740532da47bf1e30840c0b66e4835a479deb629f7bb5880a8caababe56

SHA512
ae963f95945fcd98e43f10ffbb5e2e131b48ed50db4ee51b4c0f81dbe7f6a5f420a307b06be3bf93397cfda82fc419c951f4c641d73518063a1cbb3cc934f04f

Download Submit
\Windows\SysWOW64\Mgkbjb32.exe

Filesize
72KB

MD5
3e18033c9801896712d93463aab16a13

SHA1
f007f330036dfe0a8004f5182b462d08c4cfb494

SHA256
df83727ce381ef5e48ee5b537008927eddf9a36db01a738ba3976e7b074c3074

SHA512
9bf3da66879384a96dcfaf3963e1f9c50c937a096a2579d990f58de3ec4abb13669d64680f5e20812495eba7f04e15dce31066a82fd1c6493f9d5dbba854b6aa

Download Submit
\Windows\SysWOW64\Nepokogo.exe

Filesize
72KB

MD5
29603cdb4ef9610108c830c7b3ada0cf

SHA1
da488e863812ffdf7c64041a9e888e4f06b7e99e

SHA256
817c507a56549bd7a67682dc7642982da74b60b1b95a7e122ce1daa785d9072d

SHA512
c5186a9cc86a91cb155fd8e924e756905ac9f1706e39414533d212fd5dd5f23e07771bd4e10faf59a9b000ae544c78d4b2a218eeb7e231a940dd05e304c802a3

Download Submit
\Windows\SysWOW64\Nhebhipj.exe

Filesize
72KB

MD5
c9ca1d4919ce8dfe17db8a023c0b1d9c

SHA1
78638456d8a4231afdd40c9b7185091cc916a9dc

SHA256
63f83c9969927ea9b00843e5275144adc57ebd7d9105bb906909dee8aea10079

SHA512
b8806f9531b7427e951f128f74bb4f7dc77bbc0d0e31353838e619088bf3290e27bf5e6bb7701b0eefa88763fcef41fdaea0c41176597232fd0f44ae03ebf6ee

Download Submit
\Windows\SysWOW64\Ninhamne.exe

Filesize
72KB

MD5
a25c9ebec1ad1cc919639c75a278af70

SHA1
4bb1bebb2b51425b81db920001833898c994ca9e

SHA256
2479eafb070fbd9f8e335b614f473b0c93cd3bb94d993cf573f51c0d10adbd71

SHA512
efc3713ffd4653e6ac51c0e8170baf3f6422de6754898081ab3d694c64a6ab8f8fee5c695ddc634249f5258d117863fcc7eacd7205f49945755d833b8cffad89

Download Submit
\Windows\SysWOW64\Nkaane32.exe

Filesize
72KB

MD5
90c82373efc425061a13d69ed07314c0

SHA1
7e319dfb13da867e1644dad90936e079b5d6b902

SHA256
a4ebe734b15e7dec2463944e29931f8b689c96f3497e08d83f24332ba9f870aa

SHA512
99f772e5909f1d074677019c6800ddad66d162bdf7af9c858a0215db65464786780834519c599bef4b4be9225643f349834af15cb96d0f17bc76526689ac375b

Download Submit
\Windows\SysWOW64\Ogdaod32.exe

Filesize
72KB

MD5
de2604023757b4b26c11f273e8b03bad

SHA1
45bab52c85486479808cc8d281db925f44e2d344

SHA256
b3fe654cf9b5a4e233aa4d5765072276deaf31ac9056def97da0c65ddeb0572a

SHA512
882a9562777c58bff81fa525e428ff1ab4e304f6ad6a25a2d59b7c84c7aefc46b321247d8dd0cf5e753b7361fb0f31fc2d772353d4646762d82b356293a283bb

Download Submit
memory/264-494-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/264-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-439-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/484-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-440-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/1108-232-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1108-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-251-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1300-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-213-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1644-244-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1700-88-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1700-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-483-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1768-170-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1768-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-81-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1956-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-222-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2036-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-128-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2124-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-406-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2192-450-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2192-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-200-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2216-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2216-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-11-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2216-340-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2216-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-397-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2240-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-157-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2244-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-275-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2256-276-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2260-261-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2260-265-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2260-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-307-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2348-306-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2348-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-115-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2360-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-318-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2396-314-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2396-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-495-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2464-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-296-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2488-286-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2488-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-469-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2532-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-362-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2700-375-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2700-695-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-370-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2724-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-341-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2780-35-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2780-374-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2780-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-66-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2788-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-352-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2792-693-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-351-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2792-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-329-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2796-328-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2796-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-53-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2860-48-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2860-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-462-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2872-147-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2872-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-142-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2872-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-101-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2972-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-696-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-383-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads