berbew | 4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
Size

208KB
MD5

ed2b6ebe7ff2e215683c5de0d2fd4f65
SHA1

62ca7fae361a2434c050cdbe5aff127178343bf4
SHA256

4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232
SHA512

63e32ec42f96fb0c6f8e8430272e8eab60fab60bbb27eeb060c1669d6ee79bae6ed2db2c14852c8a3c99e08ca0d75ba853bd9ce8b9320adf0b969e5b526f6523
SSDEEP

3072:onpEGoU8SiN8BviW9j6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnRe6:onpN18jwB9j6MB8MhjwszeXmr8SeNpgg

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeeecekc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeeecekc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 46 IoCs

pid	Process
2936	Nilhhdga.exe
2596	Ocdmaj32.exe
2584	Oeeecekc.exe
3024	Onpjghhn.exe
1152	Oghopm32.exe
2748	Onbgmg32.exe
1260	Okfgfl32.exe
2896	Oqcpob32.exe
2324	Pqemdbaj.exe
2640	Pfbelipa.exe
2268	Pmlmic32.exe
1220	Pjpnbg32.exe
2032	Pfgngh32.exe
2388	Pkdgpo32.exe
904	Pdlkiepd.exe
2012	Qbplbi32.exe
2080	Qngmgjeb.exe
1328	Qeaedd32.exe
796	Aniimjbo.exe
1648	Acfaeq32.exe
2216	Akmjfn32.exe
2112	Agdjkogm.exe
1512	Ajbggjfq.exe
2796	Aaloddnn.exe
2688	Ackkppma.exe
2400	Aaolidlk.exe
1948	Acmhepko.exe
2644	Alhmjbhj.exe
2024	Abbeflpf.exe
1492	Bmhideol.exe
576	Bbdallnd.exe
2252	Bhajdblk.exe
2560	Bnkbam32.exe
2116	Bhdgjb32.exe
2872	Bhfcpb32.exe
2924	Bmclhi32.exe
1704	Bejdiffp.exe
1264	Bkglameg.exe
2256	Baadng32.exe
2464	Chkmkacq.exe
2376	Cmgechbh.exe
2528	Cbdnko32.exe
2056	Cklfll32.exe
1936	Clmbddgp.exe
2512	Cphndc32.exe
2132	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2728	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
2728	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
2936	Nilhhdga.exe
2936	Nilhhdga.exe
2596	Ocdmaj32.exe
2596	Ocdmaj32.exe
2584	Oeeecekc.exe
2584	Oeeecekc.exe
3024	Onpjghhn.exe
3024	Onpjghhn.exe
1152	Oghopm32.exe
1152	Oghopm32.exe
2748	Onbgmg32.exe
2748	Onbgmg32.exe
1260	Okfgfl32.exe
1260	Okfgfl32.exe
2896	Oqcpob32.exe
2896	Oqcpob32.exe
2324	Pqemdbaj.exe
2324	Pqemdbaj.exe
2640	Pfbelipa.exe
2640	Pfbelipa.exe
2268	Pmlmic32.exe
2268	Pmlmic32.exe
1220	Pjpnbg32.exe
1220	Pjpnbg32.exe
2032	Pfgngh32.exe
2032	Pfgngh32.exe
2388	Pkdgpo32.exe
2388	Pkdgpo32.exe
904	Pdlkiepd.exe
904	Pdlkiepd.exe
2012	Qbplbi32.exe
2012	Qbplbi32.exe
2080	Qngmgjeb.exe
2080	Qngmgjeb.exe
1328	Qeaedd32.exe
1328	Qeaedd32.exe
796	Aniimjbo.exe
796	Aniimjbo.exe
1648	Acfaeq32.exe
1648	Acfaeq32.exe
2216	Akmjfn32.exe
2216	Akmjfn32.exe
2112	Agdjkogm.exe
2112	Agdjkogm.exe
1512	Ajbggjfq.exe
1512	Ajbggjfq.exe
2796	Aaloddnn.exe
2796	Aaloddnn.exe
2688	Ackkppma.exe
2688	Ackkppma.exe
2400	Aaolidlk.exe
2400	Aaolidlk.exe
1948	Acmhepko.exe
1948	Acmhepko.exe
2644	Alhmjbhj.exe
2644	Alhmjbhj.exe
2024	Abbeflpf.exe
2024	Abbeflpf.exe
1492	Bmhideol.exe
1492	Bmhideol.exe
576	Bbdallnd.exe
576	Bbdallnd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dcnilecc.dll	Oghopm32.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Onpjghhn.exe	Oeeecekc.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Pfbelipa.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Clmbddgp.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Okfgfl32.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Jcbemfmf.dll	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Kjcceqko.dll	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Pjpnbg32.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Oghopm32.exe	Onpjghhn.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdmaj32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Okfgfl32.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Aniimjbo.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cklfll32.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2984	2132	WerFault.exe	75

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeeecekc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll"	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll"	Oeeecekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaofqdkb.dll"	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Clmbddgp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2936	2728	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe	30
PID 2728 wrote to memory of 2936	2728	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe	30
PID 2728 wrote to memory of 2936	2728	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe	30
PID 2728 wrote to memory of 2936	2728	4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe	30
PID 2936 wrote to memory of 2596	2936	Nilhhdga.exe	31
PID 2936 wrote to memory of 2596	2936	Nilhhdga.exe	31
PID 2936 wrote to memory of 2596	2936	Nilhhdga.exe	31
PID 2936 wrote to memory of 2596	2936	Nilhhdga.exe	31
PID 2596 wrote to memory of 2584	2596	Ocdmaj32.exe	32
PID 2596 wrote to memory of 2584	2596	Ocdmaj32.exe	32
PID 2596 wrote to memory of 2584	2596	Ocdmaj32.exe	32
PID 2596 wrote to memory of 2584	2596	Ocdmaj32.exe	32
PID 2584 wrote to memory of 3024	2584	Oeeecekc.exe	33
PID 2584 wrote to memory of 3024	2584	Oeeecekc.exe	33
PID 2584 wrote to memory of 3024	2584	Oeeecekc.exe	33
PID 2584 wrote to memory of 3024	2584	Oeeecekc.exe	33
PID 3024 wrote to memory of 1152	3024	Onpjghhn.exe	34
PID 3024 wrote to memory of 1152	3024	Onpjghhn.exe	34
PID 3024 wrote to memory of 1152	3024	Onpjghhn.exe	34
PID 3024 wrote to memory of 1152	3024	Onpjghhn.exe	34
PID 1152 wrote to memory of 2748	1152	Oghopm32.exe	35
PID 1152 wrote to memory of 2748	1152	Oghopm32.exe	35
PID 1152 wrote to memory of 2748	1152	Oghopm32.exe	35
PID 1152 wrote to memory of 2748	1152	Oghopm32.exe	35
PID 2748 wrote to memory of 1260	2748	Onbgmg32.exe	36
PID 2748 wrote to memory of 1260	2748	Onbgmg32.exe	36
PID 2748 wrote to memory of 1260	2748	Onbgmg32.exe	36
PID 2748 wrote to memory of 1260	2748	Onbgmg32.exe	36
PID 1260 wrote to memory of 2896	1260	Okfgfl32.exe	37
PID 1260 wrote to memory of 2896	1260	Okfgfl32.exe	37
PID 1260 wrote to memory of 2896	1260	Okfgfl32.exe	37
PID 1260 wrote to memory of 2896	1260	Okfgfl32.exe	37
PID 2896 wrote to memory of 2324	2896	Oqcpob32.exe	38
PID 2896 wrote to memory of 2324	2896	Oqcpob32.exe	38
PID 2896 wrote to memory of 2324	2896	Oqcpob32.exe	38
PID 2896 wrote to memory of 2324	2896	Oqcpob32.exe	38
PID 2324 wrote to memory of 2640	2324	Pqemdbaj.exe	39
PID 2324 wrote to memory of 2640	2324	Pqemdbaj.exe	39
PID 2324 wrote to memory of 2640	2324	Pqemdbaj.exe	39
PID 2324 wrote to memory of 2640	2324	Pqemdbaj.exe	39
PID 2640 wrote to memory of 2268	2640	Pfbelipa.exe	40
PID 2640 wrote to memory of 2268	2640	Pfbelipa.exe	40
PID 2640 wrote to memory of 2268	2640	Pfbelipa.exe	40
PID 2640 wrote to memory of 2268	2640	Pfbelipa.exe	40
PID 2268 wrote to memory of 1220	2268	Pmlmic32.exe	41
PID 2268 wrote to memory of 1220	2268	Pmlmic32.exe	41
PID 2268 wrote to memory of 1220	2268	Pmlmic32.exe	41
PID 2268 wrote to memory of 1220	2268	Pmlmic32.exe	41
PID 1220 wrote to memory of 2032	1220	Pjpnbg32.exe	42
PID 1220 wrote to memory of 2032	1220	Pjpnbg32.exe	42
PID 1220 wrote to memory of 2032	1220	Pjpnbg32.exe	42
PID 1220 wrote to memory of 2032	1220	Pjpnbg32.exe	42
PID 2032 wrote to memory of 2388	2032	Pfgngh32.exe	43
PID 2032 wrote to memory of 2388	2032	Pfgngh32.exe	43
PID 2032 wrote to memory of 2388	2032	Pfgngh32.exe	43
PID 2032 wrote to memory of 2388	2032	Pfgngh32.exe	43
PID 2388 wrote to memory of 904	2388	Pkdgpo32.exe	44
PID 2388 wrote to memory of 904	2388	Pkdgpo32.exe	44
PID 2388 wrote to memory of 904	2388	Pkdgpo32.exe	44
PID 2388 wrote to memory of 904	2388	Pkdgpo32.exe	44
PID 904 wrote to memory of 2012	904	Pdlkiepd.exe	45
PID 904 wrote to memory of 2012	904	Pdlkiepd.exe	45
PID 904 wrote to memory of 2012	904	Pdlkiepd.exe	45
PID 904 wrote to memory of 2012	904	Pdlkiepd.exe	45

C:\Users\Admin\AppData\Local\Temp\4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe
"C:\Users\Admin\AppData\Local\Temp\4e92413f466c5207ec37c87b0540f5c204884f08cd95a45c18137326fd2b0232.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Nilhhdga.exe
  C:\Windows\system32\Nilhhdga.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Ocdmaj32.exe
    C:\Windows\system32\Ocdmaj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Oeeecekc.exe
      C:\Windows\system32\Oeeecekc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\Oghopm32.exe
        
        C:\Windows\system32\Oghopm32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 140
        48⤵
        Program crash
        
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
208KB

MD5
db3fa6af068b3bfa794be374be326140

SHA1
df30d3ff38603b2d152faa4dbbc56734884c14be

SHA256
9f32a2d7a21bf1d8c9786f55045983c3a62bdd8869ac6331869a68f21c4558a6

SHA512
327ca2bd804af48a824478d1e2adf6f46b302aef25e3e52799fe87f52d1704f3c973d682cfc53a3a67e73c6d780a009697ce309c1b26b0c997adb2a5fa1d1ca1

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
208KB

MD5
a3a4d2ac1c0ede0903248bc296bc9a49

SHA1
e5e7df069737020651751037091d56d97771a60d

SHA256
bb2b19e3551a915c4877e70d6989c533441326309635b6568945bbcf457814f8

SHA512
be38fe09620e1d4751c9c89e4804de1e78a63919becf77defd05d8e45cb83f21ac6a5cd54416585cbcd7b2a88aa7de10eaa383796993f844541308388a111092

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
208KB

MD5
2dbe8e2a6a18e26d1f8605823d64961c

SHA1
7a97b950c1a51c1c70b384d843b1de134cc1d3ad

SHA256
77a5f9adb2608036517efcd31a1b6371bccd21655d13f1e464633774c1a38c4d

SHA512
0de590a54926717981b367d521973713ecd2411473e249b9f7aff1688e9673eda38c644b29396ca0561eeeab821e34b9cd62185d1e90ccd732b080ccbc00f53e

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
208KB

MD5
255b423465fec35d1e22e2d6b0424ce3

SHA1
ecd4f8644b528bf243a5d95238f25c9ef4b7a91a

SHA256
d5fb35b71e38b1221acf374eae3f11fbb06ba5e1f2f1c689e8e5b3ee3634162f

SHA512
f76eba792222c864e8ee55fc25bcad7f6c553aec3d4beedf11e251792528980c9647af89fdb32799acb0510ddd5805d71248e812234105110e34eeec93b83a99

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
208KB

MD5
a2604d64970edccc9260b5eef727bf4b

SHA1
df74f15454dd6ee7f885d30de3b025d99eff0dee

SHA256
0ee3800e8f124219854d490d69bee71978e78329638a5e5682ce42581cdc24e9

SHA512
e7f2ce29e2fe4127362e8450870f0fbd2abbc438b9a048fec4941a300f7c9486a06e8eeef90c6aa607ad180bc6e8d0a670ec846a1205d6e8e08fd30e26c1dbd2

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
208KB

MD5
07ed4a2ba3e8ffb3dab3cb1faf1485d9

SHA1
816876d15fed20da8bbfcd68b20b02845b027cad

SHA256
b17f5ff241b385a44af8a161cdf816c5d22d889006ea8c066064654354f7ccd6

SHA512
6c781d1e9fe4512917b68814736cc5a6f52fe40ac07494793207caf138ee42cf700e68803c85523973e21594c4ab68f795adde215226c43e4233e741e040d162

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
208KB

MD5
b5a98ccec3581ab8cfd0c35b8c6a6089

SHA1
f85eb27f167c1f1dff44d47302df25df4891faa7

SHA256
cffef6932b97609cfc22711054672089a776a752c0f8901fc3f77f3a493bd33e

SHA512
149adb2f063fae3fa61af26da197210b14bfcfdfacb125ceb1e25953a7037e2c5bb3b459c091821f95ac2588644cd79aa5ef4b69224214b0e343e21223000810

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
208KB

MD5
54e860deb1cf1bf2a70a93112138939b

SHA1
4f64eb2ae63cd71bc3a8d81ad8b299c40fb128a7

SHA256
d2f4bc496676fe4f58d4f2903c2ebc95bd81cfa13c62b8172c6761bcaf438d5e

SHA512
4fb1663902bc34b41f36e6b22e9009a122d1c78c1b514ed153fd6d302fb4b21e5443c58be4ca38ebd4bdfe34d4dc868cffa9d8a06b1e7be2a0b277f00d824aea

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
208KB

MD5
a6dd00468b7e3a7bf635d986638a48b2

SHA1
a9e7b075b7048ac74e042c2534d51783ba5ba5f8

SHA256
8592f4e18016ae43bcbf6221446ccec725b23aa69c1a54340a25726ce973196d

SHA512
7ded0e58c878323b3747c1be60b40f0c7748749f1606e1dbc2fa05f6776d04921bf75ae3549649c1ea8d8eab8c41e4454bc2bc86ae4d74ec53e02997f181eee3

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
208KB

MD5
36675ed4a5e2868ee4ee7885b9f90ed2

SHA1
62555596a2543451401ae6072a29221d45912013

SHA256
5b54b2460a094b12ccec64c1e5f5e813e3c5aec592da395e3a003bd560751f24

SHA512
60ebc266fb089fe8e6f8676be7362c6b092f16469981fceee81d7b111d305fd1c3c650daf71dd4675e1f56a775ca1699523ef087e9e6d09846aa769b102e19c7

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
208KB

MD5
19dcc66f5d9060a4c1882ccfe21ca119

SHA1
9f777a259de729b8ef8d832f4c49bdf33bc6c57e

SHA256
a5a4a321a78723b1ec863a11469e7c1ce4948d21c13a55fe4bbe94b0505f702e

SHA512
64c639a5cf445a74f587a69d7f413fe96744ecf14cdf0201591c8cf3f7ec71f93360dfc11c6f4e49cc2564cabfcedf0dfcebb8da9088bb02296de29f6bc3cbf7

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
208KB

MD5
85928dc7edba92d8f153f496b361f7a2

SHA1
306b1a0a8f7f073191f61d208b6cf723b5f6085b

SHA256
5e0665f47918326f543c1bac0f391726f6cee69fbf5b581dfc9032730ecc08ee

SHA512
a2a8478ae06a2263e76e0cabe98cd5b869bc9d35d9fe9d743a87ae1d0954af68c814a00830ef4e5c4b5c8011d84ced786c77baa652899e78e12b352dc7fb2cd0

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
208KB

MD5
6f901ffe9ff8d40eb2ca9001b5152de1

SHA1
df8f2eb274676451bf6af06f74122d2fcbe47b82

SHA256
ee024a84e1f5ec518142757320af179cedaa07481434af6028c47d115f9a3dfc

SHA512
a2d8894307714bbcfcd1d284d51332514c4d6a352c4c4a7db0c68a9446960518644a688fffefe34bbec77daa79047094ce32df32863299d565b1302455b18863

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
208KB

MD5
b10acd08260278cb7c720194cdaf890e

SHA1
da0d8dc8e23a002f0aa5fa27ed2777de64d90de6

SHA256
ea3a55091ef32d17b3a41f760984b0ac720653dd7095a7248a46dc372138954a

SHA512
6120d5cdd6fcb202473a3f0c6533a1da9ab9ded8c3fdb213f7698f9966d7aac77c59fe9fad3cba00c5b142c8867760ee28b6e4cac69f545f6eccefc50aa654cd

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
208KB

MD5
007f138a8fca310f0d3157ffab6dd018

SHA1
f71a0b1a63ea589c1406b616c99003fffaa3053b

SHA256
9357f49c8d6be56a66a55b6a7ea5d6b1a3f2bce60120a5fce752052d37fd85af

SHA512
6543626645d751837f58cd191ebba053974ce583eb2ebfeffba1c62d7c86a81b0caa13a5b8dc0736a622105c52c6ad58d07b582329f151dfa781e04b6a37a607

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
208KB

MD5
b7822555db84c6ce81b330f0cbeef07c

SHA1
5e20ef7a9f9c6271049eb6fca46e86d0d545afc2

SHA256
f20aa496f84bb2fa1c5d83c30ec0dde13550429933ce446ec64671b5b34ebaf8

SHA512
26a22b361adcfb2baf405c8fcd3ca7082ab570aeb96fddb1b22d4400c17523dfecea4e840510a18ce1c754e386375dc89d6f0636980bef2379c27bee0f866d46

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
208KB

MD5
8809a26284e45905ad753afdade6ba68

SHA1
b65a3f627507d3b61506ab0c810053de2cc4f997

SHA256
39955a0e75d7e012fae65419306991d902e5528a17755527d03b8936d92aceda

SHA512
fe2a2c86475865c9ec942d9d28c45327adb72f28a21e234e91370200ae92800e23022a5cf71a77586a0f40a1997db186f75050168fed8e2b6c97d3294a93d20a

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
208KB

MD5
2b6b68a3488a06ebaac7e8ab43660fbf

SHA1
a1818d4ae68f7361707f98b13890c0d8cf1df9be

SHA256
f3dc2259a2c11788db3b101e72f847af17552ae2a281c5898a7f7ac74f59f7ed

SHA512
44ac620e22de445d7123bdcce9fb31c01888aa9641c97e23dd15970b653ce359d918e796e62bf1edb63f8ded7f0b6537c01af81e1c5cced4a1e72685bdca618f

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
208KB

MD5
3c9158e25b2277c0e7c6a2e4ccac41f1

SHA1
cba32f6247241eac13b105f490bff21b248c708c

SHA256
e93a6aa589e103af6f886a9a07fa4557e1485e7c16d10b21e22f616d49e31dc7

SHA512
60fcaa242ab8bb6d127f8707b0284922a343a29ad8b1824f454512d373ff8ea36c3246ec79289faf389cdc2dd0c1e51aac70956b73799c3a168ffa1f81ae9486

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
208KB

MD5
6320f3e28a0176aebad3c5938a3c0854

SHA1
cc63b29be24c6e646ab9247d72a52e89177735e1

SHA256
b307c64d75fb6fd00365c925777398ac352c1070600208d707ad2fe87d9fc644

SHA512
8789bb73cc2e41c2a9e46908c9459de32b436a36130aaf347845a3baf7c55775ff73e114e77a1fbc38ba2eabbf11654ead26ea5a7f1ca3193c71e6c895961585

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
208KB

MD5
8a05ef2221ba8b16b94babb32405832c

SHA1
87c07e1b61ccfc204d6588a716ffb3e4440782ff

SHA256
3684d7554fd7889eef201336b7a5aa5c3b687041d61ce2a0b1f9828910b37e7e

SHA512
9675d9f399d04f235dcbfc5cd432309e122128e6832c757d5dc0dcf95dd5f2c095748c407ecc51e1b2ea23413f3dde3f04802b4226742450f44d8f2dce2926bf

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
208KB

MD5
eb1a57ccc32a4aa33586961d5191613c

SHA1
cb96e185470bf0f0a25b787c6aaa0c4021cff0cc

SHA256
fa1419111ef803a5c28c7720882f0ac51849486e370d1d4f14f22b27ebcb7412

SHA512
4d4851e75f850cd340234cb389f72b52df77f4cf200aadd3b5e61e7dcd4734e3f6e49177e569a5176bda9a70c7d72e6abc8c857ef481c916354cda42a98d0b27

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
208KB

MD5
864faa015dbae07e56548b41c805aec8

SHA1
c6f065c9b98bc5b16577663e2a7a0eda7bbd52a0

SHA256
485b117e897535f9f92d7e9382dfc8a3b998e863158b2c86b2c53d33d2fd48d0

SHA512
27908ec9b8c200a4864ee3776f13d9b5648b02b90fd8733d5f50921301d2fa1b642a0b026ed09310953d0a7e660fc37157cc4a77a6c4dab9588d6b89e5a2fb9d

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
208KB

MD5
3f233ee7aab7ddb8776c1afa0059b064

SHA1
cbbf920271c6301f878516803d930283eda5bcca

SHA256
a65d371ae6cfd45aafd6f2651de3ce656105fd415eebcecd1d75f7b407d85c98

SHA512
89362cba9399f8da6fd3a81feba1f822f66b165b7965afeaf56c358d50a194ea1b50db7cf5af80a46c637f4c57aa27be146617265dae402f75c2b2ef6027cb07

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
208KB

MD5
3242b552d7c1c164407856de852187b1

SHA1
5411e1e5427c7d12fb981953412df6ac6553aae7

SHA256
fdbabfd03e7668c7ed73ee8e7ee454deb64bc5c48c302ca704fccd3182efa4ee

SHA512
23fe90ebcad577a1e0bab10b053dc1a9ce4b12a0cb0933eece90f3fa312fb44f00e840afad43d8c8de4641c7687b5cad3fc7ca39809c2e770ab86a20e81ce5bc

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
208KB

MD5
25bc545d7cf50f9cde35566e4c86cf50

SHA1
1ff85ef53bdddabfcc09b455411837afb58def47

SHA256
40026d9b43e7e5bee8b4a786d810d3eb4914698be34980b4335feced3e22b17d

SHA512
063a9a985ebda75d24006572b6b7dae4bc3899f58e8c9625a6c9b484f6703e16ca7a05851bacae46bb182be281efcc7260e9c9ad96da498905d1466a6762db47

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
208KB

MD5
521348ef5a6e36c1cb219ab260aae1fb

SHA1
ce7ff2cd9e2c1a61249b7fd5b96875fcec8efee3

SHA256
9c33dc1d56b187670d1997180d316c4697656cd43fa631c3553f7d8e6bbf6b3d

SHA512
3b78232c40dca4f15490520933edd4bdf89722a93982d7b38f770ede4695fb33d84bd928525364cf16ec813e5995728e3f2317a9dcb0a5ef3d8c10852f9dc2c2

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
208KB

MD5
8a8b835ed3403498b5db655bc53a8e83

SHA1
167fe9b1d0333c69225efe4f09795ebb847664ad

SHA256
f52073075310051451ad1a9f93ad1ebe81c951671475a0982d71563e1e3b9474

SHA512
fcae182ed0fc497d4b1688e855092fa23044caf34f068db9d2c46e0f7dc4335abfbacbdf49ac44f5256862737a618240e3f2f986cb176c26f45c2c32f9ec49ea

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
208KB

MD5
75f816c36fd65f60750f407b006e9c5c

SHA1
d710f909641ffb628375ed926ac40d3e51c1290c

SHA256
d817d3fc31837571ebcfcf21e38716b47a7cafe0a1559a521259024f62acbce6

SHA512
ecc5c592e3511bd774a91352a22bce184e1945d31b44c8e6e774d74ea4ad53224df38c3135c5bb48745229a960fb73c0055553f890db84a6f508abc59c1f36bc

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
208KB

MD5
ce318ac17465a0bb8a88966ef02a4f41

SHA1
a94e561a58e6cfc56bf3f170a55ca6491afe0dc4

SHA256
d418b233b50f63f8eb043071cdb8d50c24bbfa981050f0685207cd6b81ef1292

SHA512
d2af766522b86bef3a623437c3039554a5302b91a531b2bee6aa210d83292df77af81f25262f27dfbd864490863d3e2a7eeddf53d949353a3ee3c1e2c4fafb2f

Download Submit
\Windows\SysWOW64\Nilhhdga.exe

Filesize
208KB

MD5
3661c2676555b984450ef55502ddda29

SHA1
72093f9113f8b977828c946771c1bd3547762ea6

SHA256
918efb0fa83645c609dbeab7b4043b299a11abbc6b59f483e89da9b41fe703a2

SHA512
dd0d3e48024173d31c4e258a7e66251933fb9ec021f21e6975915289d1efb74b14776ab5edb1bf73983ae8c03e23d028fee180f3c4939fae4e0fd7cd36961678

Download Submit
\Windows\SysWOW64\Ocdmaj32.exe

Filesize
208KB

MD5
1d9750f89e253a575082cb6702fae173

SHA1
da21735eb1d66d3bc127e1868d72b71ee577ff88

SHA256
bce34e7062032bba282343950bf778c81de9a4d7e238d71eafa2e3602eef5ced

SHA512
e942aecc017d8b164eb8a6b776b7185b8b59cb22826fa0ccd54a3bbf76fd6078ffe04b36a83432835d51d59e3ba1806f133db14016c6c9e38bc9d0e9dbe3df35

Download Submit
\Windows\SysWOW64\Oeeecekc.exe

Filesize
208KB

MD5
40e86b1ebff75c7002783f6b0d9d66e9

SHA1
d0cb5e94a4c6f6e7c7cb8f7d0b8875928da0e50c

SHA256
be8d133a73fcea115fa2ba94ed75b4473083ee8455bb98ac0e22b3c9ed7e41f7

SHA512
c4fad7deff3f50a93bc7576b29bd37e050efab6f9640ed92bfffef7624ab7b83fce12c1531a7b042608b492fb5a0dfde597b5602712aa33c9666b7c79ab609aa

Download Submit
\Windows\SysWOW64\Oghopm32.exe

Filesize
208KB

MD5
fcc250de2185d3e76b115e7c877ee73a

SHA1
ea49510700efb47dbecd2e11492e406aeb9e0347

SHA256
6fb921019e01cf623f7c8bab9e3f00f4bbb583b922982e9f62e85f055bf94324

SHA512
71693b33285736c131fd7b56235b15af6a7640d467cd8834edf80e797de479fca1888b22ac07d22167055e700120db420a1bcaeea4a09e8c7eadc3b18eeb0273

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
208KB

MD5
3877f927c2c263483c73a8ea442bfda1

SHA1
d216964f447b231b34903fa87c5390d4f8bf4966

SHA256
f1243482c9ecad18bb66fa62e0ec101c29f7bd623303a8c9da8a0de08dfe3778

SHA512
48e6c8d9e078c76fc34314d4eba4aab7dd58183b480b54913abaa3e00d29dba580a35d477f90e0d0f7657ccfa03170d6598a18bd55b131e267f5a3aaafbcb6e4

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
208KB

MD5
f336a7ee02f9f50bdd2ddeae80233a8e

SHA1
d3b3636bea181363724374b58812d22d3a539399

SHA256
dc6cc26eeaf5d87c4fa3c665ca6dc3c266f611546a51fb79478926e3ed8231be

SHA512
bfce1b293315f0e7e2ab69d46796f603cdd0c73217c355deca5cb514eebe8244e53925530c8dfca65c9e7eeac40414d657b0860462df8a633d69ed9fcf284875

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
208KB

MD5
0346d88465e8c55dcdf3fbe6d07f8d83

SHA1
58960e395bb4f95b80b27dac41151c10d1356567

SHA256
116245bf4f982bfdf04a780c3ed590adaa81fb4c18b5a482deaa987983769dcb

SHA512
792dca606fe028ee5c1881443e1eade91309e14fc58a92c0830a1c27b9e0245ca0d7d62ac2b9d8470f21a7c6f5289f068cb055c7549f029c577398cff101a0dc

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
208KB

MD5
d6acacc8154c7509f39133c3fb07616a

SHA1
a9c24e1336f7745d22f26f52e26bae93bf0817bc

SHA256
a47932ed99f2c79874c6850e4839be23644498daf0ae806854c6c15a179c1ac3

SHA512
4d9f4e62842fb2159a504cec23bd51c571eda344eb390e08aa8216ea396a8f0bafc39f85acbc6f0eaa3eda3be9f348e17811a845442a4cbc9e2af1af72de0acb

Download Submit
\Windows\SysWOW64\Pdlkiepd.exe

Filesize
208KB

MD5
3594dce0d7f71a7849511ed4426ff679

SHA1
2ec7c0ec0f1c34a831347d14f33cc7bdccbab41d

SHA256
16d90f5961d9db54554cb8fd97f59582ed8a762d6ddce02e6023b1d28589d6e6

SHA512
17fd3fecf8d729bb51299831d0fe19534fdcb82cb6e34644fdee4187d67bf768c40a4cba3c186f59b5b7c1a2e372c2379e705b1939e8885ea530965fe8433a5b

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
208KB

MD5
9d3dddeb61dd8ef9cef6df6cae71b469

SHA1
5e35bef77be41b48e98c7c708c29a9aa1f5b38f3

SHA256
7c83be9c03ea14b51a0c9e3e5b9f7a62be76d70ae7ed5a48bb9620d47ac80a16

SHA512
8eec04224d87e2bfd71e4d8bb0486c559f091311b8e34a2b1ec94687c68beec078c2a5cb993313b04c4b8309f8b2b62050b4929df0011426418d23a185ce1e27

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
208KB

MD5
a2cb6593ff7b903029920923c4833477

SHA1
e9025ee84ea058e4923cc2ef3202b37869cc3cea

SHA256
645de9244f90ec70e2a8793ed617cdb90f586667450584e643a7a161b983171d

SHA512
a51b79556660da3b0791cb630804c8a9ae934ed2c567938874c1bbdd773e937b254a849daf8459d5e3cf4648b23d05f87e16647ad5b0a33de7e9ba43801f455b

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
208KB

MD5
aa3227b3cdf717a41fdc819228e73467

SHA1
8a24ad613fd21395e5f9ca19f7c4c23d1e97a9c8

SHA256
b48953de9d3c3d269daf841b49e1115ff2afb01a49feee9611c80c03b27b0b6b

SHA512
f525e357cb86c3e2e2231a80f692b7128c3f4aa114b583cd9abb69adcd8123067f935eb4da1e8e11df88cafeff67e4c56d1d944487a2bedd6ec7955fed5ce4fe

Download Submit
\Windows\SysWOW64\Pkdgpo32.exe

Filesize
208KB

MD5
a10bbd73c07da3ee678a6073d9b65f97

SHA1
da2dd7723e0d3d4afde2965ed0e93adc2d35f507

SHA256
22f2abab78a191c45ba51914f0131cbdba9f9e107c4f0dc4ff40434fd2c547ce

SHA512
bad4b3f774c8b359730ac5395c1f3237975a92b3259d8c46008aa071f43037f01dfaf3e48c292a24510b3ae876caf8ac29d468554e78e7c65132dea7497341e4

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
208KB

MD5
919a0a73c64f586e96d47f81ec34283b

SHA1
3020a603a66fead7d19cb36370864e51d801fb23

SHA256
d097e8a1e2bd6268fa37b32f363d68f5b8f9f0531ac1ac02fb05c0afc3b24758

SHA512
8e2c8ecca01bbc8e79fcd4110c9e04f2b626ae12b085c1c29022ac9504d662c90ebc10e407c8d21e78d6b833320a2ce4e6869600705ab4517ffe192f1499a6c6

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
208KB

MD5
dd3b074aba1e802f7b67c51e1603f0d9

SHA1
eea9e0292993861dcea684bf024d109c61657912

SHA256
2353538a573f152f77e98130459fff82d54e9e6ce631627d948cf7ff5a7bf456

SHA512
e1529b354253b6ef0c6261051019104ce82810cea96d277c3417df7a9fa0b0e7ca015f96c1815b83f4ae433ec9bc045070880592c8e134d44e627983747b139f

Download Submit
\Windows\SysWOW64\Qbplbi32.exe

Filesize
208KB

MD5
0ae173150d3d333f0e2536f33dc2a006

SHA1
b228685f17388819036770eeab99e06a619322d5

SHA256
118421d3152ead0e02ff790495a4f5ae0f9faf2d84984ae8ccaff04876321f19

SHA512
758dabefa2262f7272ba4fb71c4ecad203d2583440a0184013be2c41bb64c7ff7f3dc54ce0b461cc4126563a5cd64bccdf187288194e80341d6fd8891b8ff36d

Download Submit
memory/576-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/796-259-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/796-260-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/796-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/904-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/904-217-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1152-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-78-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1220-172-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/1260-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1260-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1260-107-0x0000000001F40000-0x0000000001F83000-memory.dmp

Filesize
268KB

Download
memory/1264-462-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1264-464-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1328-249-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1328-245-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1328-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-303-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1512-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-302-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1648-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-267-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1648-271-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1704-453-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-346-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1948-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-226-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2024-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-368-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2024-374-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2032-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2080-238-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2112-292-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2112-288-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2112-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2116-425-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2116-424-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2116-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-281-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2216-280-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2252-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-401-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2252-399-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2256-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-163-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2268-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-135-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2388-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-198-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2400-335-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2400-342-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2400-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-409-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2560-413-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2560-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-35-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2596-400-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2640-144-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2640-149-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2640-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-356-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2644-357-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2644-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-324-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2688-325-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2728-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2728-7-0x0000000001F40000-0x0000000001F83000-memory.dmp

Filesize
268KB

Download
memory/2728-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-93-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2748-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-447-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2748-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-87-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2796-314-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2796-313-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2796-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-436-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2872-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-117-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2896-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-21-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2936-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-60-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads