berbew | 7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe
Size

71KB
MD5

bf942094c936904cbe4953c2c83f2c70
SHA1

96204e409b41afa584aabf324c942081c7434439
SHA256

7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585
SHA512

d89e9df1c7d0b1931297b1edb46f038c9af34f8767e4557afc87bf08cd88833ae0bc24cd14e69fa3f31c82b9fd9eac17066d8fcc05a67a0697005489d19d43f0
SSDEEP

1536:xQnxsnOhyc2N7YmZiafom3yIOToqFA2LZ7RZObZUS:xQnWcSZiaf93w0CZClUS

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maoifh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpchaqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepineo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpchaqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khkdad32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
748	Khdoqefq.exe
3732	Kbjbnnfg.exe
4724	Kalcik32.exe
4940	Kkegbpca.exe
1200	Kaopoj32.exe
2076	Khihld32.exe
4480	Kbnlim32.exe
4536	Khkdad32.exe
3156	Loemnnhe.exe
2208	Ldbefe32.exe
3548	Logicn32.exe
888	Leabphmp.exe
1672	Lknjhokg.exe
4548	Ledoegkm.exe
3392	Llpchaqg.exe
220	Mkepineo.exe
2916	Maoifh32.exe
3048	Mociol32.exe
5028	Mdpagc32.exe
4460	Mkjjdmaj.exe
3196	Mdbnmbhj.exe
3580	Mohbjkgp.exe
2220	Mddkbbfg.exe
1356	Mahklf32.exe
3696	Nkapelka.exe
672	Nefdbekh.exe
4412	Nkcmjlio.exe
1316	Nkeipk32.exe
4508	Ndnnianm.exe
1712	Nocbfjmc.exe
1808	Ndpjnq32.exe
4256	Nfpghccm.exe
3220	Ohncdobq.exe
4800	Oohkai32.exe
4284	Obfhmd32.exe
4888	Odedipge.exe
2172	Okolfj32.exe
4908	Obidcdfo.exe
1740	Ofdqcc32.exe
4752	Ohcmpn32.exe
3216	Oomelheh.exe
3724	Obkahddl.exe
1956	Oheienli.exe
2948	Okceaikl.exe
4052	Obnnnc32.exe
3192	Odljjo32.exe
2044	Omcbkl32.exe
2268	Ocmjhfjl.exe
4716	Pdngpo32.exe
4388	Pijcpmhc.exe
2284	Podkmgop.exe
2164	Pdqcenmg.exe
2644	Pcbdcf32.exe
4272	Pfppoa32.exe
2040	Pkmhgh32.exe
1036	Pbgqdb32.exe
3444	Pokanf32.exe
1516	Pmoagk32.exe
1688	Pbljoafi.exe
3972	Qkdohg32.exe
2128	Qmckbjdl.exe
4632	Qcncodki.exe
3268	Amfhgj32.exe
696	Akihcfid.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Akihcfid.exe
File opened for modification	C:\Windows\SysWOW64\Khdoqefq.exe	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe
File created	C:\Windows\SysWOW64\Kkegbpca.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Dkheoa32.dll	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Nefdbekh.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldbefe32.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Nfoceoni.dll	Mahklf32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Okceaikl.exe
File opened for modification	C:\Windows\SysWOW64\Pijcpmhc.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Flekgd32.dll	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Nfpghccm.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Okceaikl.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Abggif32.dll	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Bhalpn32.dll	Maoifh32.exe
File created	C:\Windows\SysWOW64\Mahklf32.exe	Mddkbbfg.exe
File opened for modification	C:\Windows\SysWOW64\Pkmhgh32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Khdoqefq.exe
File opened for modification	C:\Windows\SysWOW64\Mdbnmbhj.exe	Mkjjdmaj.exe
File created	C:\Windows\SysWOW64\Gcdfnq32.dll	Odedipge.exe
File opened for modification	C:\Windows\SysWOW64\Pdngpo32.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Ohncdobq.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Fldqdebb.dll	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kkegbpca.exe
File opened for modification	C:\Windows\SysWOW64\Llpchaqg.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Mkepineo.exe	Llpchaqg.exe
File opened for modification	C:\Windows\SysWOW64\Mociol32.exe	Maoifh32.exe
File created	C:\Windows\SysWOW64\Amfhgj32.exe	Qcncodki.exe
File opened for modification	C:\Windows\SysWOW64\Pbljoafi.exe	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Kjejmalo.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Odljjo32.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Odljjo32.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Kkegbpca.exe
File created	C:\Windows\SysWOW64\Ehilac32.dll	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkjjdmaj.exe	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Ohcmpn32.exe
File created	C:\Windows\SysWOW64\Pdqcenmg.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Khihld32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepineo.exe	Llpchaqg.exe
File opened for modification	C:\Windows\SysWOW64\Mohbjkgp.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Qcncodki.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Obidcdfo.exe	Okolfj32.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	Mociol32.exe
File created	C:\Windows\SysWOW64\Mohbjkgp.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Nkeipk32.exe	Ndlacapp.exe
File opened for modification	C:\Windows\SysWOW64\Nkeipk32.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Omcbkl32.exe	Odljjo32.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Ldbefe32.exe	Loemnnhe.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khkdad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpchaqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdbekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohbjkgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maoifh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odedipge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmqbkkce.dll"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Podkmgop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnnnc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 748	1844	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe	89
PID 1844 wrote to memory of 748	1844	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe	89
PID 1844 wrote to memory of 748	1844	7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe	89
PID 748 wrote to memory of 3732	748	Khdoqefq.exe	90
PID 748 wrote to memory of 3732	748	Khdoqefq.exe	90
PID 748 wrote to memory of 3732	748	Khdoqefq.exe	90
PID 3732 wrote to memory of 4724	3732	Kbjbnnfg.exe	91
PID 3732 wrote to memory of 4724	3732	Kbjbnnfg.exe	91
PID 3732 wrote to memory of 4724	3732	Kbjbnnfg.exe	91
PID 4724 wrote to memory of 4940	4724	Kalcik32.exe	92
PID 4724 wrote to memory of 4940	4724	Kalcik32.exe	92
PID 4724 wrote to memory of 4940	4724	Kalcik32.exe	92
PID 4940 wrote to memory of 1200	4940	Kkegbpca.exe	93
PID 4940 wrote to memory of 1200	4940	Kkegbpca.exe	93
PID 4940 wrote to memory of 1200	4940	Kkegbpca.exe	93
PID 1200 wrote to memory of 2076	1200	Kaopoj32.exe	94
PID 1200 wrote to memory of 2076	1200	Kaopoj32.exe	94
PID 1200 wrote to memory of 2076	1200	Kaopoj32.exe	94
PID 2076 wrote to memory of 4480	2076	Khihld32.exe	95
PID 2076 wrote to memory of 4480	2076	Khihld32.exe	95
PID 2076 wrote to memory of 4480	2076	Khihld32.exe	95
PID 4480 wrote to memory of 4536	4480	Kbnlim32.exe	96
PID 4480 wrote to memory of 4536	4480	Kbnlim32.exe	96
PID 4480 wrote to memory of 4536	4480	Kbnlim32.exe	96
PID 4536 wrote to memory of 3156	4536	Khkdad32.exe	97
PID 4536 wrote to memory of 3156	4536	Khkdad32.exe	97
PID 4536 wrote to memory of 3156	4536	Khkdad32.exe	97
PID 3156 wrote to memory of 2208	3156	Loemnnhe.exe	98
PID 3156 wrote to memory of 2208	3156	Loemnnhe.exe	98
PID 3156 wrote to memory of 2208	3156	Loemnnhe.exe	98
PID 2208 wrote to memory of 3548	2208	Ldbefe32.exe	99
PID 2208 wrote to memory of 3548	2208	Ldbefe32.exe	99
PID 2208 wrote to memory of 3548	2208	Ldbefe32.exe	99
PID 3548 wrote to memory of 888	3548	Logicn32.exe	100
PID 3548 wrote to memory of 888	3548	Logicn32.exe	100
PID 3548 wrote to memory of 888	3548	Logicn32.exe	100
PID 888 wrote to memory of 1672	888	Leabphmp.exe	101
PID 888 wrote to memory of 1672	888	Leabphmp.exe	101
PID 888 wrote to memory of 1672	888	Leabphmp.exe	101
PID 1672 wrote to memory of 4548	1672	Lknjhokg.exe	102
PID 1672 wrote to memory of 4548	1672	Lknjhokg.exe	102
PID 1672 wrote to memory of 4548	1672	Lknjhokg.exe	102
PID 4548 wrote to memory of 3392	4548	Ledoegkm.exe	103
PID 4548 wrote to memory of 3392	4548	Ledoegkm.exe	103
PID 4548 wrote to memory of 3392	4548	Ledoegkm.exe	103
PID 3392 wrote to memory of 220	3392	Llpchaqg.exe	104
PID 3392 wrote to memory of 220	3392	Llpchaqg.exe	104
PID 3392 wrote to memory of 220	3392	Llpchaqg.exe	104
PID 220 wrote to memory of 2916	220	Mkepineo.exe	105
PID 220 wrote to memory of 2916	220	Mkepineo.exe	105
PID 220 wrote to memory of 2916	220	Mkepineo.exe	105
PID 2916 wrote to memory of 3048	2916	Maoifh32.exe	106
PID 2916 wrote to memory of 3048	2916	Maoifh32.exe	106
PID 2916 wrote to memory of 3048	2916	Maoifh32.exe	106
PID 3048 wrote to memory of 5028	3048	Mociol32.exe	107
PID 3048 wrote to memory of 5028	3048	Mociol32.exe	107
PID 3048 wrote to memory of 5028	3048	Mociol32.exe	107
PID 5028 wrote to memory of 4460	5028	Mdpagc32.exe	108
PID 5028 wrote to memory of 4460	5028	Mdpagc32.exe	108
PID 5028 wrote to memory of 4460	5028	Mdpagc32.exe	108
PID 4460 wrote to memory of 3196	4460	Mkjjdmaj.exe	109
PID 4460 wrote to memory of 3196	4460	Mkjjdmaj.exe	109
PID 4460 wrote to memory of 3196	4460	Mkjjdmaj.exe	109
PID 3196 wrote to memory of 3580	3196	Mdbnmbhj.exe	110

C:\Users\Admin\AppData\Local\Temp\7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe
"C:\Users\Admin\AppData\Local\Temp\7abd6b7d983149ea1711fe72c19fab3a551858175a4cf325560fc54c21fc6585N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\Khdoqefq.exe
  C:\Windows\system32\Khdoqefq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\Kbjbnnfg.exe
    C:\Windows\system32\Kbjbnnfg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\SysWOW64\Kalcik32.exe
      C:\Windows\system32\Kalcik32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        37⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        67⤵
        
        PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akihcfid.exe

Filesize
71KB

MD5
e161e9d34484220a11a8c2b8c82298ef

SHA1
8e7397602a4ba070022b98df502139191ed9bb03

SHA256
e7ee92bc6b681a15efabd0537b110c2c07081d2072310cb011e138a121dd3042

SHA512
435286a3bed4592a2d479aeb3b8390e6ee78af0f08712b8611f21bdefc742955e13d784a4303cbf19e381cdcb66d41eaf9ffd8f5826afc162ac8d109bac5de71

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
71KB

MD5
9264a800383c30ae3f84171b165bf0f4

SHA1
aea8c962c52dc770303832b46138abc2cfed06ef

SHA256
42da4c3430096d1c89bfe4ca48ff0394cfb3da46f08a340703e4c3f368eccc8f

SHA512
f7c63ad261e57aabb2d12fcd9e2160ec4c256b0e3726fb06f2ba1eda07f7b6f760d69ab572ce379e95ae29e7e31bc976129e1cc8da8066bfb507f4714ad81516

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
71KB

MD5
120036f6c47ebf0a8575ffc2b49ff439

SHA1
6054188645862241f461f08014f701d1ec1c8ec9

SHA256
6888e8587f64e8ea018474b542047d89751de45713f494ff684297f271f15048

SHA512
3c2c2e31a29eee5a1d99bb94c0399d3a557cbf4f0c49c70676f1cd8ab51ef48e9de91ee80015d1cf61ac5ddedd9461859a4966500695585d6135d2a2b6fc1856

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
71KB

MD5
ba5ee0ea3c2c46c17e2da18eec1ebd10

SHA1
bf351c397274f8e60cbb2d87a5e4c4cc249187cd

SHA256
35c62cdfb5545c074231466cc03ebd1d72f2545873508c5bcfdac9c6bf5c5993

SHA512
279f7876a0f63fb3b43c0b011964b5403c88832cd842a581eacf925a21b773e65e04db6e11b15d2bebc0b2204c952beb19606cef7fb30166a9785fb16f802942

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
71KB

MD5
5a12f870fd0994f1e50e8992a1a2f3c9

SHA1
d65cc2f4db174d3136637def1c04d4d0382da396

SHA256
9b74a4d54732211ef33f4466d2c500d4eb55a2ba9f06859cf15b3373f67d333c

SHA512
dba8aaf8a871c15bfb2ebecaced9d726144fb4d07924bffe49f14b6339b3373e3c0081345722a8615c5a15bbfbcfa904d6bb8221b7e6090f7dfca4e36d783326

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
71KB

MD5
46c9f8f246602bcf920813967e499234

SHA1
d12d543d98ff56bd1bf828495f2a1c437eca0945

SHA256
b70bc070dea8879c9d60f36f4acc255cd81b7c3d73269de5df55ba1fdef7a665

SHA512
6f481716895be94a04bb8a9cb9fef4fc821c7067d6cd5565d9c213cb879dbb764695bcb639b3bfa464f7c3328f98ed4a1562e8190ba09e0535597fec0a0cb9f0

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
71KB

MD5
dacd3ffcf8d1782a8dbefcf44407ab0d

SHA1
8585633e2f2850a2357db930c29a31839dd54e25

SHA256
fcc46ee9fbaba09b00e588777e0eded7abb987edf4ddb0818608487128211879

SHA512
d2f6151b980660250737f98be9f7217904e37c691a760685ac6bbc533e881c3bbd28393685738a658984f5e2a79d738eb4502aa811309de2c00cb00ad19b9426

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
71KB

MD5
e51a2cc1b445ad9fe74507ee1fb096d2

SHA1
fc2eaa53270f7f8d91135ccc02eef056fbd8bfe7

SHA256
b2bb97faf19c28dfa2af21d42e534a683f3b30daadc4441ce2f998f85e8f89b5

SHA512
1a5314ba2f7abfaa272d2f1e6ab18785e7828dd105c10fa65da3d9b5908330fe356e46366e7f9d9e9bf6fdae90ec61f644b4c21c52b07545ede26d466318d89e

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
71KB

MD5
2ec14c88e282dae990f01f3e23adc56a

SHA1
18d3cdcf2c0389b75d47ae2f49a0a802b6aec948

SHA256
2ad0c40a42a6c1d7c417af1df080c0de9e70dcdaea68663ad82909837a4bfeba

SHA512
d307db5b09fb93f86f9e56f235bd4514f3a3880231995a9c96cea941f558a58b2b955325c975f5b80cc1363eb05556268b620818ad019d6f4aca7c8fa521b8d8

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
71KB

MD5
9878023d95b17121b8f47bef0b123273

SHA1
65f8f8e363ce167fa25d13f816c688b3c8ce5b24

SHA256
350f95d2bad02d9b69d37f339453470362c006c73228c4a0993bf796d8be45bf

SHA512
d904d66e3d9f9bd49fe05dde6d5722ef27c3e00e99bcbe145c5cd0b5c04610f62f7be92835f5c8c0e1a8ff7774e917c2355e0c6db91befe52438d360cdd25a12

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
71KB

MD5
3da2d2d476c38a13b4ccc740b8f2410f

SHA1
c10cb9df8b387b065f22797c98db6fa744051886

SHA256
baadd8da2075270797ed94de81720eb1898c5c187e8e7013acb6c00f6a64f513

SHA512
9d158f6464a02051caacfc4db7261722e04cb977734bfd78698835d69efcb2cdf82e7dcb968f535a1cf034080b00c47d655572fee6ea950b498139daa87926d4

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
71KB

MD5
3d96c78bed23fef4fec16b90b93955d1

SHA1
8e3f17c0d9c01214e11e786cb3ccc6f02f0fd35c

SHA256
5f174d0da177127639ffaa37f57f7a6df465378cb348f45c4a176e6228f69769

SHA512
adf17650942446373abd8d930b665999675c8fd99878709985d4094655fb38f1989976e4c47090349214fba0342f04b7e780d85f03cb8b9624a1c352ef5419f7

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
71KB

MD5
bee9667eca1115aa8152f814a14fcfdf

SHA1
48f43f4874b05005fa8207e6b56636598c8bf39f

SHA256
0e78749e6ec714c8c19205f737f6f6e33a3d8b4126e55273c1e8d37028249616

SHA512
8e9263fa85595b84d293851a622ac34257279c2fbd7c62570b63f311f27f7838c6de49aa7e6786c7fc1d6ca91b7a55116ed20f8b36c3f2577501e20b135b8ea3

Download Submit
C:\Windows\SysWOW64\Llpchaqg.exe

Filesize
71KB

MD5
c28d866e52d65acc1517fa1bc6bc28d8

SHA1
4bd6d5009174df518194b6a501706d3c1c22a03b

SHA256
cacb666b0b41766b05d743192cd637879ffd3e919c8bb65ca50966fe763c0f2a

SHA512
d03cdff7ea14d0738d4ae114b7393357216d8a4a5ffe9fd759dbc422fda7a39698190c49eccfecfc31408a5db6ce56fe39345706fe34105c614567af9ba3e3bb

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
71KB

MD5
70ec223ff0200c67ce0e03ea450cde58

SHA1
e03741be87146d7de179dff9311dedba1166acf7

SHA256
9b657f55e50f216b42e1a98d26e1947932a762e2e9f55dfbbb9c3493cb4422bb

SHA512
ddc1749b38edbb78638a506a420d93a02f996939fcdc51111448c4ae335372d7f3fc54e10ba1acfd93a67fd06c0a25f0af5a96f85f85b8cde5372f1905c0d0d0

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
71KB

MD5
3e432f59c860931e8e8624ee1e6f3043

SHA1
906d6ae55b22b6a54797a6bbaeb7b4339c1b6772

SHA256
d45db2901eed4a16d0f230314d3daa0fbdd5cfde30a6cfeace97bdb19e8ab1ae

SHA512
d7cf60cf45e513fcac4df566be9da9994be0ac0e1759a1feb755984604e75125bd02ebe7f3f29127bf42b0fde4d2ba56b92d3c6fb043bea05cd62d80eef027be

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
71KB

MD5
18fbb2ed869b155b1b6bcc74f55511d0

SHA1
7a7e3f501dfbfc400047019beb99f47f046a8236

SHA256
ae6e33257bf5da33d5b49c7cbfc30dea50f9b98c4f311a0797d33d86711239dc

SHA512
a572dee725c47cc099cc882cf40d13dc80e1bc78e27b5a8760bdb5433c99a4152d8dafa99011bd76c6d96b40afc0984794dd1847cb6e3a174f6cb1f5229164b9

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
71KB

MD5
29b9a927fbeab9b5f9fb744d46a02dea

SHA1
8256b4f618bfec9c18bc62f69fefeac16f377697

SHA256
6cc2ce014adc21d92713cd1fe35f399b28f9cf6c3506aa89264a25422c753174

SHA512
b76973d134c39607c0acdb7f63bf8489409a90bb2750bbccb58b4080deae0b2ea51e691f2e4bb84e728976353976f2a486818d760dd40ca1cb8ac20b5b4a85bd

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
71KB

MD5
c9818bcdaeef6b23a0cc41fe8042f949

SHA1
a0e0c22918fb2b80507d286e10761da1338e76e6

SHA256
d608e9fdd3e7e7d7f8e12e4e8e6bd63acbcbf123cebab775a5e461c8fd94478d

SHA512
2b5bd11f47a26b85632d8046217230b8ded677cd5c8288b96c66b5d43cbb7d3d2faec1ba33ea02031b044a22e98f54ada05dbab3642acfc02bc890063f681a13

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
71KB

MD5
5f6b40e03219db2cd6df40c7186d3037

SHA1
88f0b23d21304974cd06d848ed0cca4ca29deaba

SHA256
1874a3a01c8340816f26e53af2999016e0f832fb183fda1fdd16ae91fe97d41b

SHA512
7601386761095bff110190bab4e4c2d528d82e4947b9e2534ef795e7c02c063b88e1a0daaa9cbaa5a8c5ca3f2508034aa7ec8f43e3aab38c60dee2f8fb8528a8

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
71KB

MD5
10654a1bb2ad462df6e0e7732b078907

SHA1
39ec3f859d5ea1c6383cb35105698177983e6ed7

SHA256
3bc72c02d43b59ee93a5e2f523a8db32a4fa8030cf11fb8275e71cfec2003a97

SHA512
ef237223526962777b70ea71e75f42d57f41896fb24b5d69286f3bd73f27363110e87df11fffd6cdd1d9dc5353d471f3ab612dd5847a6fc6a83e65a92756bc62

Download Submit
C:\Windows\SysWOW64\Mkepineo.exe

Filesize
71KB

MD5
77e5007fce68069327ff8838d480e2b1

SHA1
2ff0a3ae217edda241c56442653c1cfdce5d174e

SHA256
6a3f4d2a9d75aa55b0afebb9cb48db9216fc95d9dee5c174b07bac57d619d9bb

SHA512
601af3e67e71cedc4b63185769eec8f52203309d89519ccbda3e5b8b43a79419a9226aac3df866daad4e81eb01990c0a367b76da4cc05bfe2be5c738d2909b33

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
71KB

MD5
c33c30f6f084f702026e318e34d32fc1

SHA1
68fc008502d4c10ad81cea92bf643af5ec978a5d

SHA256
ba171a113166897664c4d1f05c3b7f98c0f94b7deda56a079945c2278e26644f

SHA512
af4619ad0f2baada70bf624abcffb27c7935ba519756ce2bd5122a4f162a6a8cd8ad406ef59a547bf082dc714b01b43b0cad29b44ee3b07863cd7e7d7c2f51ef

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
71KB

MD5
2c55c56215b59a8b3953e5dc60a6219e

SHA1
c66e4d4f3f301c793c57e6bdb29a11d0b1b480b0

SHA256
6d2ac39eba13409e0b8fbcb30f7ba935df3dac752b121299c0e1531c8dafd511

SHA512
a5e1e2604c5323f789d291b2f1e50e9bb72106c912d27d50c0e390e6070ec22abcd5165ecbfdfb9bcd6b993bdd5c84443cb3c65c3ac740b5d18e4713ac334a94

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
71KB

MD5
f0d36762ffb1a955c2358d2d23499551

SHA1
72338f654fc7c4b78b385db50403d1c6b606e3e2

SHA256
14bcdd723dc79fdc50d06d3511522022377dc599b686c132c2c7aec16a9e0230

SHA512
284d55c1c9d4b6adf86c023b3948e943d9811560e21f7254ca71ad8d8e979256fa735d55ec6eaf664c2f8be72874120b340e2ef8998827c867dc479a34c2aa89

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
71KB

MD5
c0dd3e8e2a7df98bf38f95a6ef19b2fe

SHA1
c3a0bce4235130d7b7f08447185e25c7d18ba986

SHA256
3b5a792ecb0c900c59ace97f4df110886dd71419b1fb35f2c1dd81bf92687f2c

SHA512
f45dc4d1d2793d0d7c18cb9b91994ecbfd9571bb61446d8a70abe4bfc4b47d197eae7039c469ff3b7380657cc0840e9507b27dd8bbd0c845a8f313b4f2579ca2

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
71KB

MD5
30581bfa26bd7a70f94c9b4b02f48147

SHA1
53b499b54461a197dbd5f6e66f80e8392591cfd6

SHA256
79b666fb715ea6705a874d16e2db84968bed7df7f96609ad8df74a748cf3cec9

SHA512
7745e4a6dfaafa7d146ee8110ffe8a8857db8a14224d50520288494230536aff00cef4862c45476948f348514d1148083dfd6ecb76baebd3cc191652f91ea799

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
71KB

MD5
8df9dd238bdc94e25d6b16f89cc3ef6c

SHA1
0452874baaa3397bfb999e71bf4285b1fb1d8cbe

SHA256
3697d1058ea9cfe1ac2b5d3b13f0b8d9b2c7f7506b95ce8ef6f397dc7492398d

SHA512
815df4e4194fbea7712bf68c888f0f690d7c8383e180806a76a04e0d4deed47439561616a72b7fadbe2136f5fbf72e79888696e726977c4e233068e45c8b597a

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
71KB

MD5
02ec4dd2ad28691ba3fa1aa612210783

SHA1
b7676101b4b161801c7deefccd8ac6d6004ec6a3

SHA256
016934e38f2f3d8dccc15097022a12b3552945a4bca771ab72fbd71f458cdac8

SHA512
b73135bdf324203b5d2124e3229106572bc17990c9314da51e42656ea0efba0aacc97f43633b9d4246fd9bdb8168384aafc6af4a86ac7537dc9dcdd85666ee2b

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
71KB

MD5
d7dd40c255471a3bab251444b8d88c67

SHA1
ab8c15895d00353f379d0aded0b99cfe00055308

SHA256
5d07956808e853bf764a3ff408ad65dccc29dcf03f1780aafd19754c719c8006

SHA512
56cf6b438dc9b203b7a59548cf53b4cde926ae5f43e647180f9e569b3f12b1cb408c2bb150780ac55729ce19af986078e0b2b9e95681dab154758433ec8194e8

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
71KB

MD5
fae44114439fe99c9f2585b6f9eabd12

SHA1
b521e1683c79c605941439a6e0386325fcb03e16

SHA256
5f4a5f78cb2808c9e60b516ee26d30d97f582b674d9a4c7491f440a91ae1a211

SHA512
2a3509eb541101322ae6e0b24e963e760a88f924b41a951725412106740fa21c8f0a7ad8045d8a38f2582f89509dc3f8d6c3c0467fb95164e61b0e9b2fb32036

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
71KB

MD5
d0bf1b1b06b5b87e1eeedbd647f42b5d

SHA1
1eff8705b3fd01588c1945f51c04dc1b16735338

SHA256
a34ea879fa61b992f0c2ed37e0d7f2bd3fb256fa4d360790a36909080d459ebf

SHA512
50d4f862cbb216d7028ccb7e3a622d6a712f0c9f959ed72a84fec6cc3a9b5e3e52556c1c95d03c6f1947a9d30f47749767972b8962e1ddbea4c46ff1e025b81d

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
71KB

MD5
1534f777b389f055b14321497489d104

SHA1
44a060e48f5210e5645150f5d339d32ef460dd5e

SHA256
d3a373b5bf00adebca0072c72d5d926e0379faef5ebf096c60d27708ccf15e37

SHA512
3fec90243cefad411a485461b06d475a2562031e60c2db499693942a1dc58304cc1d285a92534d4919490a5500a1e93135a565e3fdb79a87fd3e210ac9c92958

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
71KB

MD5
f5b8a2550fb46b217c44512e385e8927

SHA1
c5afd4a273025475f90295c49a546c8eaaaa8cf9

SHA256
a0118ee6d6b1a415106c65724064a27211f58ca24f299dd39384e3fda079f610

SHA512
fabfe25826feababfcc1170821693458f4d58fad0a15d78bbc8eacd001bc8239331cc65272f08ac22ec185f5132b7c6cc7fdc6a196f0c2f2317d40fb070d7ba8

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
71KB

MD5
e2c2d853e4f4f7682fa0db412bb39ce0

SHA1
d86bfc9f345a3e393ec582048bd1adad889cbb8a

SHA256
3357f4265e148f4f9aea33436f788a9a06994879eb61b6517224c29d958304ab

SHA512
4746f673c7d6dac5bd6ab09dd0701b066dd86ca0ce4775691b872a93607e7ee584dac27f21612c68fccd43dd9de7269817d71c1eed4ac508c2ae73851a662dd3

Download Submit
C:\Windows\SysWOW64\Pbljoafi.exe

Filesize
71KB

MD5
5d9ac76151cffb184b2b09008989355c

SHA1
9506d88bd0923d62c5ab03c99270a0b514b6a1f0

SHA256
ca54e05ef60b5935279706b26dd8f1bd3cc1aa3fb56f4d7bdf8e39a3b11351c6

SHA512
9f20467b6cbc0fe54e70404b92ed33eb7421dbc6e8d9bb8f9a59e65560ea45ab041b4f0ca44da0da85cb843d992dfb6e700d0fa92a8ff8f780829fba21cf5b93

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
71KB

MD5
02a9178c0aa5aec4b7b000a57b696b24

SHA1
56a507fc41d7a233b3d175d2cb2cbe4bf21bd55c

SHA256
ee2573f8007899c6391811a961cc0c05e838e9492ab888b01d284268ff2ddb2e

SHA512
c2d4e5fad1ec3f6e48526cf627be6996f7733f5a664c7b84b731d7d21816cdcafd602a9f04f0d8f19c32a71790ba5f33d538c2343b52c038f6187a1a31234a0b

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
71KB

MD5
2e63f50c5671ad3641146350f0b5cb4f

SHA1
32968cffb299919425a80582574728833416869d

SHA256
e4e1e388d2507a6e28c2a8ddca9829d350d76c3054c87f696c03799d644a807e

SHA512
415756fad715333ba8efd33459ae7cae4b8c9ccf623bee0c1cb3a2aecfc508d60b13fad2a7c0df01ebbea3d9a8a0a6d4bd0caf846a85d17a372510fd720970ad

Download Submit
memory/220-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-703-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-707-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-709-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1844-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-677-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-701-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-685-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-697-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-687-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-693-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-695-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-679-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-683-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-705-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-640-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-681-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-699-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-691-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-689-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads